Identify and securely provision information assets, establish handling requirements, manage the data lifecycle, and apply data security controls to comply with applicable laws.

• 2.1 Identify and classify information and assets
• 2.2 Establish information and asset handling requirements
• 2.3 Provision resources securely
• 2.4 Manage data lifecycle
• 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
• 2.6 Determine data security controls and compliance requirements

Apply the principles of secure design to engineering processes. Choose the appropriate security controls for sites, facilities, and systems. Understand cryptanalytic attacks and select cryptographic solutions.

• 3.1 Research, implement and manage engineering processes using secure design principles
• 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
• 3.3 Select controls based upon systems security requirements
• 3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
• 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
• 3.6 Select and determine cryptographic solutions
• 3.7 Understand methods of cryptanalytic attacks
• 3.8 Apply security principles to site and facility design
• 3.9 Design site and facility security controls

Implement secure design principles in network architectures, secure network components, and implement secure communication channels.

• 4.1 Assess and implement secure design principles in network architectures
• 4.2 Secure network components
• 4.3 Implement secure communication channels according to design

Control physical and logical access to assets and manage identification and authentication of people, devices, and services, including third-party federation. Implement and manage authentication systems and authorization mechanisms. Manage identity and access provisioning.

• 5.1 Control physical and logical access to assets
• 5.2 Manage identification and authentication of people, devices, and services
• 5.3 Federated identity with a third-party service
• 5.4 Implement and manage authorization mechanisms
• 5.5 Manage the identity and access provisioning lifecycle
• 5.6 Implement authentication systems

Design and validate assessment, test, and audit strategies, conduct security control testing, collect security process data, analyze test output, and conduct or facilitate security audits.

• 6.1 Design and validate assessment, test, and audit strategies
• 6.2 Conduct security control testing
• 6.3 Collect security process data (e.g., technical and administrative)
• 6.4 Analyze test output and generate report
• 6.5 Conduct or facilitate security audits

Conduct logging and monitoring activities, configuration management, patch management, disaster recovery, and incident managment. Test disaster recovery and business continuity plans. Manage personnel safety and physical security. Comply with change management and forensic investigations.

• 7.1 Understand and comply with investigations
• 7.2 Conduct logging and monitoring activities
• 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
• 7.4 Apply foundational security operations concepts
• 7.5 Apply resource protection
• 7.6 Conduct incident management
• 7.7 Operate and maintain detective and preventive measures
• 7.8 Implement and support patch and vulnerability management
• 7.9 Understand and participate in change management processes
• 7.10 Implement recovery strategies
• 7.11 Implement Disaster Recovery (DR) processes
• 7.12 Test Disaster Recovery Plans (DRP)
• 7.13 Participate in Business Continuity (BC) planning and exercises
• 7.14 Implement and manage physical security
• 7.15 Address personnel safety and security concerns

Understand and integrate security in the Software Development Life Cycle (SDLC), identify and apply security controls in development environments, assess the effectiveness of software security, assess the security impact of acquired software, and define and apply secure coding guidelines and standards.

• 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
• 8.2 Identify and apply security controls in development environments
• 8.3 Assess the effectiveness of software security
• 8.4 Assess security impact of acquired software
• 8.5 Define and apply secure coding guidelines and standards