| AC — Access Control |
| AC-01 — Policy and Procedures | Organization | — |
| AC-02 — Account Management | Organization | — |
| AC-02(03) — Disable Accounts | Information System | — |
| AC-02(07) — Privileged User Accounts | Organization | — |
| AC-03 — Access Enforcement | Information System | — |
| AC-03(07) — Role-based Access Control | Organization | — |
| AC-05 — Separation of Duties | Organization | — |
| AC-06 — Least Privilege | Organization | — |
| AC-07 — Unsuccessful Logon Attempts | Information System | — |
| AC-08 — System Use Notification | Organization | — |
| AC-11 — Device Lock | Information System | — |
| AC-14 — Permitted Actions Without Identification or Authentication | Organization | — |
| AC-17 — Remote Access | Organization | — |
| AC-18 — Wireless Access | Organization | — |
| AC-19 — Access Control for Mobile Devices | Organization | — |
| AC-20 — Use of External Systems | Organization | — |
| AC-22 — Publicly Accessible Content | Organization | — |
| AT — Awareness and Training |
| AT-01 — Policy and Procedures | Organization | — |
| AT-02 — Literacy Training and Awareness | Common (Organization) | TAMUS Cybersecurity |
| AT-02(02) — Insider Threat | Common (Organization) | TAMUS Cybersecurity |
| AT-02(03) — Social Engineering and Mining | Common (Organization) | TAMUS Cybersecurity |
| AT-03 — Role-based Training | Organization | — |
| AT-04 — Training Records | Hybrid (Organization) | TrainTraq (for literacy training records) |
| AU — Audit and Accountability |
| AU-01 — Policy and Procedures | Organization | — |
| AU-02 — Event Logging | Organization | — |
| AU-03 — Content of Audit Records | Information System | — |
| AU-04 — Audit Log Storage Capacity | Organization | — |
| AU-05 — Response to Audit Logging Process Failures | Information System | — |
| AU-06 — Audit Record Review, Analysis, and Reporting | Organization | — |
| AU-08 — Time Stamps | Information System | — |
| AU-09 — Protection of Audit Information | Information System | — |
| AU-11 — Audit Record Retention | Organization | — |
| AU-12 — Audit Record Generation | Information System | — |
| CA — Assessment, Authorization, and Monitoring |
| CA-01 — Policy and Procedures | Organization | — |
| CA-02 — Control Assessments | Organization | — |
| CA-02(01) — Independent Assessors | Organization | — |
| CA-03 — Information Exchange | Organization | — |
| CA-05 — Plan of Action and Milestones | Organization | — |
| CA-06 — Authorization | Organization | — |
| CA-07 — Continuous Monitoring | Organization | — |
| CA-07(04) — Risk Monitoring | Organization | — |
| CA-08 — Penetration Testing | Organization | — |
| CA-09 — Internal System Connections | Organization | — |
| CM — Configuration Management |
| CM-01 — Policy and Procedures | Organization | — |
| CM-02 — Baseline Configuration | Organization | — |
| CM-03 — Configuration Change Control | Organization | — |
| CM-03(02) — Testing, Validation, and Documentation of Changes | Organization | — |
| CM-04 — Impact Analyses | Organization | — |
| CM-05 — Access Restrictions for Change | Organization | — |
| CM-06 — Configuration Settings | Organization | — |
| CM-07 — Least Functionality | Organization | — |
| CM-08 — System Component Inventory | Organization | — |
| CM-10 — Software Usage Restrictions | Organization | — |
| CM-11 — User-installed Software | Organization | — |
| CP — Contingency Planning |
| CP-01 — Policy and Procedures | Organization | — |
| CP-02 — Contingency Plan | Organization | — |
| CP-02(01) — Coordinate with Related Plans | Organization | — |
| CP-03 — Contingency Training | Organization | — |
| CP-04 — Contingency Plan Testing | Organization | — |
| CP-04(01) — Coordinate with Related Plans | Organization | — |
| CP-06 — Alternate Storage Site | Organization | — |
| CP-07 — Alternate Processing Site | Organization | — |
| CP-08 — Telecommunications Services | Organization | — |
| CP-09 — System Backup | Organization | — |
| CP-09(02) — Test Restoration Using Sampling | Organization | — |
| CP-09(03) — Separate Storage for Critical Information | Organization | — |
| CP-10 — System Recovery and Reconstitution | Organization | — |
| CP-11 — Alternate Communications Protocols | Organization | — |
| IA — Identification and Authentication |
| IA-01 — Policy and Procedures | Organization | — |
| IA-02 — Identification and Authentication (Organizational Users) | Organization | — |
| IA-02(01) — Multi-factor Authentication to Privileged Accounts | Information System | — |
| IA-02(02) — Multi-factor Authentication to Non-privileged Accounts | Information System | — |
| IA-04 — Identifier Management | Organization | — |
| IA-05 — Authenticator Management | Organization | — |
| IA-05(01) — Password-based Authentication | Organization | — |
| IA-05(09) — Federated Credential Management | Organization | — |
| IA-06 — Authentication Feedback | Information System | — |
| IA-07 — Cryptographic Module Authentication | Information System | — |
| IA-08 — Identification and Authentication (Non-organizational Users) | Information System | — |
| IA-11 — Re-authentication | Organization | — |
| IA-12 — Identity Proofing | Organization | — |
| IA-12(02) — Identity Evidence | Organization | — |
| IA-12(03) — Identity Evidence Validation and Verification | Organization | — |
| IR — Incident Response |
| IR-01 — Policy and Procedures | Organization | — |
| IR-02 — Incident Response Training | Organization | — |
| IR-03 — Incident Response Testing | Organization | — |
| IR-04 — Incident Handling | Common (Organization) | TAMUS Cybersecurity |
| IR-04(08) — Correlation with External Organizations | Organization | — |
| IR-04(14) — Security Operations Center | Common (Organization) | TAMUS Cybersecurity |
| IR-05 — Incident Monitoring | Hybrid (Organization) | TAMUS Cybersecurity (for incidents managed by TAMUS Cyber Operations) |
| IR-06 — Incident Reporting | Organization | — |
| IR-06(01) — Automated Reporting | Organization | — |
| IR-07 — Incident Response Assistance | Organization | — |
| IR-08 — Incident Response Plan | Organization | — |
| IR-09 — Information Spillage Response | Organization | — |
| MA — Maintenance |
| MA-01 — Policy and Procedures | Organization | — |
| MA-02 — Controlled Maintenance | Organization | — |
| MA-04 — Nonlocal Maintenance | Organization | — |
| MA-05 — Maintenance Personnel | Organization | — |
| MP — Media Protection |
| MP-01 — Policy and Procedures | Organization | — |
| MP-02 — Media Access | Organization | — |
| MP-03 — Media Marking | Organization | — |
| MP-06 — Media Sanitization | Organization | — |
| MP-06(01) — Review, Approve, Track, Document, and Verify | Organization | — |
| MP-07 — Media Use | Organization | — |
| PE — Physical and Environmental Protection |
| PE-01 — Policy and Procedures | Organization | — |
| PE-02 — Physical Access Authorizations | Organization | — |
| PE-03 — Physical Access Control | Organization | — |
| PE-06 — Monitoring Physical Access | Organization | — |
| PE-06(03) — Video Surveillance | Organization | — |
| PE-08 — Visitor Access Records | Organization | — |
| PE-12 — Emergency Lighting | Organization | — |
| PE-13 — Fire Protection | Organization | — |
| PE-14 — Environmental Controls | Organization | — |
| PE-15 — Water Damage Protection | Organization | — |
| PE-16 — Delivery and Removal | Organization | — |
| PE-17 — Alternate Work Site | Organization | — |
| PE-18 — Location of System Components | Organization | — |
| PL — Planning |
| PL-01 — Policy and Procedures | Organization | — |
| PL-02 — System Security and Privacy Plans | Organization | — |
| PL-04 — Rules of Behavior | Organization | — |
| PL-04(01) — Social Media and External Site/Application Usage Restrictions | Organization | — |
| PL-10 — Baseline Selection | Organization | — |
| PL-11 — Baseline Tailoring | Organization | — |
| PM — Program Management |
| PM-01 — Information Security Program Plan | Organization | — |
| PM-02 — Information Security Program Leadership Role | Organization | — |
| PM-03 — Information Security and Privacy Resources | Organization | — |
| PM-04 — Plan of Action and Milestones Process | Organization | — |
| PM-05 — System Inventory | Organization | — |
| PM-05(01) — Inventory of Personally Identifiable Information | Organization | — |
| PM-06 — Measures of Performance | Organization | — |
| PM-07 — Enterprise Architecture | Organization | — |
| PM-09 — Risk Management Strategy | Organization | — |
| PM-10 — Authorization Process | Organization | — |
| PM-11 — Mission and Business Process Definition | Organization | — |
| PM-14 — Testing, Training, and Monitoring | Organization | — |
| PM-15 — Security and Privacy Groups and Associations | Organization | — |
| PM-16 — Threat Awareness Program | Organization | — |
| PM-22 — Personally Identifiable Information Quality Management | Organization | — |
| PS — Personnel Security |
| PS-01 — Policy and Procedures | Organization | — |
| PS-02 — Position Risk Designation | Common (Organization) | TAMUS and Member Human Resources |
| PS-03 — Personnel Screening | Common (Organization) | TAMUS and Member Human Resources |
| PS-04 — Personnel Termination | Organization | — |
| PS-05 — Personnel Transfer | Organization | — |
| PS-06 — Access Agreements | Organization | — |
| PS-07 — External Personnel Security | Organization | — |
| PS-08 — Personnel Sanctions | Organization | — |
| PS-09 — Position Descriptions | Common (Organization) | TAMUS and Member Human Resources |
| RA — Risk Assessment |
| RA-01 — Policy and Procedures | Organization | — |
| RA-02 — Security Categorization | Organization | — |
| RA-03 — Risk Assessment | Organization | — |
| RA-03(01) — Supply Chain Risk Assessment | Organization | — |
| RA-05 — Vulnerability Monitoring and Scanning | Organization | — |
| RA-05(02) — Update Vulnerabilities to Be Scanned | Organization | — |
| RA-05(11) — Public Disclosure Program | Organization | — |
| RA-07 — Risk Response | Organization | — |
| SA — System and Services Acquisition |
| SA-01 — Policy and Procedures | Organization | — |
| SA-02 — Allocation of Resources | Organization | — |
| SA-03 — System Development Life Cycle | Organization | — |
| SA-04 — Acquisition Process | Organization | — |
| SA-05 — System Documentation | Organization | — |
| SA-08 — Security and Privacy Engineering Principles | Organization | — |
| SA-09 — External System Services | Organization | — |
| SA-10 — Developer Configuration Management | Organization | — |
| SA-11 — Developer Testing and Evaluation | Organization | — |
| SA-22 — Unsupported System Components | Organization | — |
| SC — System and Communications Protection |
| SC-01 — Policy and Procedures | Organization | — |
| SC-05 — Denial-of-service Protection | Information System | — |
| SC-07 — Boundary Protection | Information System | — |
| SC-07(11) — Restrict Incoming Communications Traffic | Information System | — |
| SC-08 — Transmission Confidentiality and Integrity | Information System | — |
| SC-12 — Cryptographic Key Establishment and Management | Organization | — |
| SC-13 — Cryptographic Protection | Information System | — |
| SC-15 — Collaborative Computing Devices and Applications | Information System | — |
| SC-20 — Secure Name/Address Resolution Service (Authoritative Source) | Information System | — |
| SC-21 — Secure Name/Address Resolution Service (Recursive or Caching Resolver) | Information System | — |
| SC-22 — Architecture and Provisioning for Name/Address Resolution Service | Information System | — |
| SC-39 — Process Isolation | Information System | — |
| SI — System and Information Integrity |
| SI-01 — Policy and Procedures | Organization | — |
| SI-02 — Flaw Remediation | Organization | — |
| SI-03 — Malicious Code Protection | Organization | — |
| SI-04 — System Monitoring | Common (Organization) | TAMUS Cybersecurity (for managed endpoints) |
| SI-05 — Security Alerts, Advisories, and Directives | Organization | — |
| SI-08 — Spam Protection | Organization | — |
| SI-10 — Information Input Validation | Information System | — |
| SI-12 — Information Management and Retention | Organization | — |
| SI-12(01) — Limit Personally Identifiable Information Elements | Organization | — |
| SR — Supply Chain Risk Management |
| SR-01 — Policy and Procedures | Organization | — |
| SR-02 — Supply Chain Risk Management Plan | Organization | — |
| SR-03 — Supply Chain Controls and Processes | Organization | — |
| SR-05 — Acquisition Strategies, Tools, and Methods | Organization | — |
| SR-08 — Notification Agreements | Organization | — |
| SR-12 — Component Disposal | Organization | — |