Security Controls Catalog of MODERATE Baseline Controls

The Texas A&M Transportation Institute Security Control Standards Catalog (“Controls Catalog”) establishes the minimum standards and controls for agency information security in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202). For more information, visit the Policy and Standards page.

Procedure ID	Procedure Name	NIST Priority
Access Control
AC-01-727	Access Control Policy and Procedures	P1
AC-02-727	Account Management	P1
AC-03-727	Access Enforcement	P1
AC-04-727	Information Flow Enforcement	P1
AC-05-727	Separation of Duties	P1
AC-06-727	Least Privilege	P1
AC-07-727	Unsuccessful Logon Attempts	P2
AC-08-727	System Use Notification	P1
AC-11-727	Session Lock	P3
AC-12-727	Session Termination	P2
AC-14-727	Permitted Actions without Identification or Authentication	P3
AC-17-727	Remote Access	P1
AC-18-727	Wireless Access	P1
AC-19-727	Access Control for Mobile Devices	P1
AC-20-727	Use of External Information Systems	P1
AC-21-727	Information Sharing	P2
AC-22-727	Publicly Accessible Content	P3
Awareness and Training
AT-01-727	Security Awareness and Training Policy and Procedures	P1
AT-02-727	Security Awareness Training	P1
AT-03-727	Role-Based Security Training	P1
AT-04-727	Security Training Records	P3
Audit and Accountability
AU-01-727	Audit and Accountability Policy and Procedures	P1
AU-02-727	Audit Events	P1
AU-03-727	Content of Audit Records	P1
AU-04-727	Audit Storage Capacity	P1
AU-05-727	Response to Audit Processing Failures	P1
AU-06-727	Audit Review, Analysis, and Reporting	P1
AU-07-727	Audit Reduction and Report Generation	P2
AU-08-727	Time Stamps	P1
AU-09-727	Protection of Audit Information	P1
AU-11-727	Audit Record Retention	P3
AU-12-727	Audit Generation	P1
Security Assessment and Authorization
CA-01-727	Security Assessment and Authorization Policy and Procedures	P1
CA-02-727	Security Assessments	P2
CA-03-727	System Interconnections	P1
CA-05-727	Plan of Action and Milestones	P3
CA-06-727	Security Authorization	P2
CA-07-727	Continuous Monitoring	P2
CA-09-727	Internal System Connections	P2
Configuration Management
CM-01-727	Configuration Management Policy and Procedures	P1
CM-02-727	Baseline Configuration	P1
CM-03-727	Configuration Change Control	P1
CM-04-727	Security Impact Analysis	P2
CM-05-727	Access Restrictions for Change	P1
CM-06-727	Configuration Settings	P1
CM-07-727	Least Functionality	P1
CM-08-727	Information System Component Inventory	P1
CM-09-727	Configuration Management Plan	P1
CM-10-727	Software Usage Restrictions	P2
CM-11-727	User-Installed Software	P1
Contingency Planning
CP-01-727	Contingency Planning Policy and Procedures	P1
CP-02-727	Contingency Plan	P1
CP-03-727	Contingency Training	P2
CP-04-727	Contingency Plan Testing	P2
CP-06-727	Alternate Storage Site	P1
CP-07-727	Alternate Processing Site	P1
CP-08-727	Telecommunications Services	P1
CP-09-727	Information System Backup	P1
CP-10-727	Information System Recovery and Reconstitution	P1
Identification and Authentication
IA-01-727	Identification and Authentication Policy and Procedures	P1
IA-02-727	Identification and Authentication (Organizational Users)	P1
IA-03-727	Device Identification and Authentication	P1
IA-04-727	Identifier Management	P1
IA-05-727	Authenticator Management	P1
IA-06-727	Authenticator Feedback	P2
IA-07-727	Cryptographic Module Authentication	P1
IA-08-727	Identification and Authentication (Non-Organizational Users)	P1
Incident Response
IR-01-727	Incident Response Policy and Procedures	P1
IR-02-727	Incident Response Training	P2
IR-03-727	Incident Response Testing	P2
IR-04-727	Incident Handling	P1
IR-05-727	Incident Monitoring	P1
IR-06-727	Incident Reporting	P1
IR-07-727	Incident Response Assistance	P2
IR-08-727	Incident Response Plan	P1
Maintenance
MA-01-727	System Maintenance Policy and Procedures	P1
MA-02-727	Controlled Maintenance	P2
MA-03-727	Maintenance Tools	P3
MA-04-727	Nonlocal Maintenance	P2
MA-05-727	Maintenance Personnel	P2
MA-06-727	Timely Maintenance	P2
Media Protection
MP-01-727	Media Protection Policy and Procedures	P1
MP-02-727	Media Access	P1
MP-03-727	Media Marking	P2
MP-04-727	Media Storage	P1
MP-05-727	Media Transport	P1
MP-06-727	Media Sanitization	P1
MP-07-727	Media Use	P1
Physical and Environmental Protection
PE-01-727	Physical and Environmental Protection Policies and Procedures	P1
PE-02-727	Physical Access Authorizations	P1
PE-03-727	Physical Access Control	P1
PE-04-727	Access Control for Transmission Medium	P1
PE-05-727	Access Control for Output Devices	P2
PE-06-727	Monitoring Physical Access	P1
PE-08-727	Visitor Access Records	P3
PE-09-727	Power Equipment and Cabling	P1
PE-10-727	Emergency Shutoff	P1
PE-11-727	Emergency Power	P1
PE-12-727	Emergency Lighting	P1
PE-13-727	Fire Protection	P1
PE-14-727	Temperature and Humidity Controls	P1
PE-15-727	Water Damage Protection	P1
PE-16-727	Delivery and Removal	P2
PE-17-727	Alternate Work Site	P2
Planning
PL-01-727	Security Planning Policy and Procedures	P1
PL-02-727	System Security Plan	P1
PL-04-727	Rules of Behavior	P2
PL-08-727	Information Security Architecture	P1
Personnel Security
PS-01-727	Personnel Security Policy and Procedures	P1
PS-02-727	Position Risk Designation	P1
PS-03-727	Personnel Screening	P1
PS-04-727	Personnel Termination	P1
PS-05-727	Personnel Transfer	P2
PS-06-727	Access Agreements	P3
PS-07-727	Third-Party Personnel Security	P1
PS-08-727	Personnel Sanctions	P3
Risk Assessment
RA-01-727	Risk Assessment Policy and Procedures	P1
RA-02-727	Security Categorization	P1
RA-03-727	Risk Assessment	P1
RA-05-727	Vulnerability Scanning	P1
Security Assessment and Authorization
SA-01-727	System and Services Acquisition Policy and Procedures	P1
SA-02-727	Allocation of Resources	P1
SA-03-727	System Development Life Cycle	P1
SA-04-727	Acquisition Process	P1
SA-05-727	Information System Documentation	P2
SA-08-727	Security Engineering Principles	P1
SA-09-727	External Information System Services	P1
SA-10-727	Developer Configuration Management	P1
SA-11-727	Developer Security Testing and Evaluation	P1
System and Communications Protection
SC-01-727	System and Communications Protection Policy and Procedures	P1
SC-02-727	Application Partitioning	P1
SC-04-727	Information in Shared Resources	P1
SC-05-727	Denial of Service Protection	P1
SC-07-727	Boundary Protection	P1
SC-08-727	Transmission Confidentiality and Integrity	P1
SC-10-727	Network Disconnect	P2
SC-12-727	Cryptographic Key Establishment and Management	P1
SC-13-727	Cryptographic Protection	P1
SC-15-727	Collaborative Computing Devices	P1
SC-17-727	Public Key Infrastructure Certificates	P1
SC-18-727	Mobile Code	P2
SC-19-727	Voice over Internet Protocol	P1
SC-20-727	Secure Name/Address Resolution Service (Authoritative Source)	P1
SC-21-727	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	P1
SC-22-727	Architecture and Provisioning for Name/Address Resolution Service	P1
SC-23-727	Session Authenticity	P1
SC-28-727	Protection of Information at Rest	P1
SC-39-727	Process Isolation	P1
System and Information Integrity
SI-01-727	System and Information Integrity Policy and Procedures	P1
SI-02-727	Flaw Remediation	P1
SI-03-727	Malicious Code Protection	P1
SI-04-727	Information System Monitoring	P1
SI-05-727	Security Alerts, Advisories, and Directives	P1
SI-07-727	Software, Firmware, and Information Integrity	P1
SI-08-727	Spam Protection	P2
SI-10-727	Information Input Validation	P1
SI-11-727	Error Handling	P2
SI-12-727	Information Output Handling and Retention	P2
SI-16-727	Memory Protection	P1

Security Controls Catalog of MODERATE Baseline Controls

Search Control Catalog

Control Audiences

Control Baselines

Control Families