← Frameworks / FFIEC IS / Control Mappings

FFIEC IT Examination Handbook — Information Security

US Federal Financial Institutions Examination Council handbook for examining information security at financial institutions. 51 examination objectives across governance, risk management, threat intelligence, security controls, network security, endpoint protection, access management, data security, resilience, incident response, and third-party security. Used by OCC, FDIC, Federal Reserve, NCUA, and state banking agencies for IT examinations.

Controls: 209
Total Mappings: 488
Publisher: Federal Financial Institutions Examination Council (FFIEC) Version: 2024
FFIEC IS → SP 800-53 SP 800-53 → FFIEC IS Coverage Analysis
AC (18) AT (6) AU (13) CA (8) CM (14) CP (3) IA (10) IR (9) MA (1) MP (7) PE (20) PL (7) PM (19) PS (9) PT (3) RA (7) SA (11) SC (21) SI (11) SR (12)

AC Access Control

Control Name FFIEC IS References
AC-01 Access Control Policies and Procedures
II.C.1II.C.15II.C.7(b)
AC-02 Account Management
II.C.15II.C.7II.C.7(b)
AC-03 Access Enforcement
II.C.13(a)II.C.15II.C.15(a)II.C.15(b)II.C.18II.C.7(b)
AC-04 Information Flow Enforcement
II.C.13II.C.13(b)II.C.6II.C.9
AC-05 Separation Of Duties
II.C.7II.C.7(b)II.C.7(c)
AC-06 Least Privilege
II.C.13(a)II.C.15II.C.15(a)II.C.15(b)II.C.18II.C.7II.C.7(b)
AC-07 Unsuccessful Login Attempts
II.C.15
AC-08 System Use Notification
II.C.15
AC-09 Previous Logon Notification
II.C.15
AC-10 Concurrent Session Control
II.C.15
AC-11 Session Lock
II.C.15
AC-17 Remote Access
II.C.13(b)II.C.15(c)II.C.16II.C.9
AC-18 Wireless Access Restrictions
II.C.15(c)II.C.9
AC-19 Access Control For Portable And Mobile Devices
II.C.15(c)
AC-20 Use Of External Information Systems
II.C.13(e)II.C.15(c)II.C.16II.C.6
AC-21 Information Sharing
II.C.13
AC-22 Publicly Accessible Content
II.C.13
AC-24 Access Control Decisions
II.C.15(b)II.C.7(b)

AT Awareness and Training

Control Name FFIEC IS References
AT-01 Security Awareness And Training Policy And Procedures
I.AI.BI.CII.C.1II.C.7(e)
AT-02 Security Awareness
I.AI.CII.C.12II.C.13(e)II.C.7II.C.7(e)
AT-03 Security Training
I.AI.CII.C.7II.C.7(e)IV.A.1
AT-04 Security Training Records
I.AII.C.7(e)
AT-05 Contacts With Security Groups And Associations
I.A
AT-06 Training Feedback
I.AII.C.7(e)

AU Audit and Accountability

Control Name FFIEC IS References
AU-01 Audit And Accountability Policy And Procedures
II.C.1
AU-02 Auditable Events
II.C.15II.C.18III.B
AU-03 Content Of Audit Records
II.C.15II.C.18III.B
AU-04 Audit Storage Capacity
III.B
AU-05 Response To Audit Processing Failures
III.B
AU-06 Audit Monitoring, Analysis, And Reporting
II.C.15II.C.18II.DIII.BIII.CIV.A.4
AU-07 Audit Reduction And Report Generation
III.BIV.A.4
AU-08 Time Stamps
III.B
AU-09 Protection Of Audit Information
III.B
AU-11 Audit Record Retention
III.B
AU-12 Audit Record Generation
II.C.15II.C.18III.B
AU-13 Monitoring for Information Disclosure
II.DIII.B
AU-14 Session Audit
III.B

CA Security Assessment and Authorization

Control Name FFIEC IS References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
Appendix AII.C.1IV.A
CA-02 Security Assessments
Appendix AII.AII.A.2II.BII.C.3II.C.4II.DIV.AIV.A.1IV.A.2IV.A.3IV.A.4
CA-03 Information System Connections
II.C.20II.C.6II.C.9
CA-05 Plan Of Action And Milestones
Appendix AII.C.3II.C.4IV.AIV.A.4
CA-06 Security Accreditation
Appendix AII.C.4
CA-07 Continuous Monitoring
II.AII.A.2II.C.4II.DIII.AIII.BIV.AIV.A.3
CA-08 Penetration Testing
II.A.2IV.AIV.A.1IV.A.2IV.A.3
CA-09 Internal System Connections
II.C.20II.C.6

CM Configuration Management

Control Name FFIEC IS References
CM-01 Configuration Management Policy And Procedures
II.C.1II.C.10
CM-02 Baseline Configuration
II.C.10II.C.2
CM-03 Configuration Change Control
II.C.10
CM-04 Monitoring Configuration Changes
II.A.2II.C.10II.C.17
CM-05 Access Restrictions For Change
II.C.10II.C.7(c)
CM-06 Configuration Settings
II.A.2II.C.10II.C.15(a)II.C.18
CM-07 Least Functionality
II.C.10II.C.11II.C.13(e)II.C.15(a)
CM-08 Information System Component Inventory
II.C.11II.C.13(e)II.C.5
CM-09 Configuration Management Plan
II.C.10II.C.5
CM-10 Software Usage Restrictions
II.C.13(e)
CM-11 User-Installed Software
II.C.11II.C.13(e)
CM-12 Information Location
II.C.5
CM-13 Data Action Mapping
II.C.5
CM-14 Signed Components
II.C.17

CP Contingency Planning

Control Name FFIEC IS References
CP-01 Contingency Planning Policy And Procedures
II.C.1
CP-02 Contingency Plan
III.D
CP-10 Information System Recovery And Reconstitution
III.D

IA Identification and Authentication

Control Name FFIEC IS References
IA-01 Identification And Authentication Policy And Procedures
II.C.1II.C.15II.C.7(b)
IA-02 User Identification And Authentication
II.C.15II.C.15(a)II.C.15(b)II.C.15(c)II.C.16II.C.7(b)
IA-03 Device Identification And Authentication
II.C.15
IA-04 Identifier Management
II.C.15II.C.7(b)
IA-05 Authenticator Management
II.C.15II.C.15(a)II.C.7(b)
IA-06 Authenticator Feedback
II.C.15
IA-07 Cryptographic Module Authentication
II.C.15II.C.19
IA-08 Identification and Authentication (Non-Organizational Users)
II.C.15II.C.15(b)II.C.15(c)II.C.16
IA-11 Re-authentication
II.C.15
IA-12 Identity Proofing
II.C.15II.C.7(b)

IR Incident Response

Control Name FFIEC IS References
IR-01 Incident Response Policy And Procedures
II.C.1III.CIII.D
IR-02 Incident Response Training
III.D
IR-03 Incident Response Testing And Exercises
III.D
IR-04 Incident Handling
III.BIII.CIII.D
IR-05 Incident Monitoring
III.CIII.D
IR-06 Incident Reporting
III.CIII.D
IR-07 Incident Response Assistance
III.D
IR-08 Incident Response Plan
III.D
IR-09 Information Spillage Response
III.C

MA Maintenance

Control Name FFIEC IS References
MA-01 System Maintenance Policy And Procedures
II.C.1

MP Media Protection

Control Name FFIEC IS References
MP-01 Media Protection Policy And Procedures
II.C.1II.C.13
MP-02 Media Access
II.C.13II.C.13(a)
MP-03 Media Labeling
II.C.13
MP-04 Media Storage
II.C.13II.C.13(a)II.C.5
MP-05 Media Transport
II.C.13II.C.13(c)II.C.13(d)
MP-06 Media Sanitization And Disposal
II.C.13II.C.13(c)
MP-07 Media Use
II.C.13II.C.13(d)

PE Physical and Environmental Protection

Control Name FFIEC IS References
PE-01 Physical And Environmental Protection Policy And Procedures
II.C.1II.C.8
PE-02 Physical Access Authorizations
II.C.8
PE-03 Physical Access Control
II.C.13(a)II.C.8
PE-04 Access Control For Transmission Medium
II.C.8
PE-05 Access Control For Display Medium
II.C.8
PE-06 Monitoring Physical Access
II.C.8
PE-07 Visitor Control
II.C.8
PE-08 Access Records
II.C.8
PE-09 Power Equipment And Power Cabling
II.C.8
PE-10 Emergency Shutoff
II.C.8
PE-11 Emergency Power
II.C.8
PE-12 Emergency Lighting
II.C.8
PE-13 Fire Protection
II.C.8
PE-14 Temperature And Humidity Controls
II.C.8
PE-15 Water Damage Protection
II.C.8
PE-16 Delivery And Removal
II.C.13(d)II.C.8
PE-17 Alternate Work Site
II.C.8
PE-18 Location Of Information System Components
II.C.8
PE-19 Information Leakage
II.C.8
PE-20 Asset Monitoring and Tracking
II.C.8

PL Planning

Control Name FFIEC IS References
PL-01 Security Planning Policy And Procedures
I.BII.C.1
PL-02 System Security Plan
I.BII.C.1II.C.3II.C.4IV.A.4
PL-03 System Security Plan Update
II.C.1
PL-04 Rules Of Behavior
I.AI.BII.C.1II.C.7II.C.7(d)
PL-07 Concept of Operations
II.C.1
PL-08 Security and Privacy Architectures
II.C.1II.C.2II.C.3
PL-09 Central Management
II.C.2

PM Program Management

Control Name FFIEC IS References
PM-01 Information Security Program Plan
Appendix AI.AI.BII.C.1
PM-02 Information Security Program Leadership Role
I.AI.B
PM-03 Information Security and Privacy Resources
I.BI.C
PM-04 Plan of Action and Milestones Process
Appendix AII.C.1II.C.3II.C.4
PM-05 System Inventory
II.C.1II.C.13(e)II.C.5
PM-06 Measures of Performance
Appendix AII.C.1II.C.4II.DIV.AIV.A.1IV.A.4
PM-08 Critical Infrastructure Plan
II.A
PM-09 Risk Management Strategy
II.AII.B
PM-10 Authorization Process
I.B
PM-11 Mission and Business Process Definition
II.A
PM-12 Insider Threat Program
II.AII.A.1III.A
PM-13 Security and Privacy Workforce
I.AI.BI.CII.C.7(e)
PM-14 Testing, Training, and Monitoring
I.AII.C.4II.C.7(e)II.DIII.DIV.AIV.A.1IV.A.2IV.A.3
PM-15 Security and Privacy Groups and Associations
II.AII.A.1III.A
PM-16 Threat Awareness Program
I.CII.AII.A.1III.A
PM-28 Risk Framing
II.B
PM-29 Risk Management Program Leadership Roles
I.B
PM-30 Supply Chain Risk Management Strategy
II.C.20
PM-31 Continuous Monitoring Strategy
II.C.20

PS Personnel Security

Control Name FFIEC IS References
PS-01 Personnel Security Policy And Procedures
I.BII.C.1II.C.7
PS-02 Position Categorization
I.BII.C.7II.C.7(a)II.C.7(c)
PS-03 Personnel Screening
II.C.7II.C.7(a)
PS-04 Personnel Termination
II.C.7
PS-05 Personnel Transfer
II.C.7
PS-06 Access Agreements
II.C.7II.C.7(a)II.C.7(d)
PS-07 Third-Party Personnel Security
I.BII.C.20II.C.7II.C.7(a)II.C.7(d)
PS-08 Personnel Sanctions
II.C.7
PS-09 Position Descriptions
II.C.7II.C.7(a)

PT Personally Identifiable Information Processing and Transparency

Control Name FFIEC IS References
PT-01 Policy and Procedures
II.C.1II.C.16
PT-02 Authority to Process Personally Identifiable Information
II.C.16
PT-03 Personally Identifiable Information Processing Purposes
II.C.16

RA Risk Assessment

Control Name FFIEC IS References
RA-01 Risk Assessment Policy And Procedures
I.BII.AII.BII.C.1
RA-02 Security Categorization
II.AII.BII.C.5
RA-03 Risk Assessment
II.AII.A.1II.BII.DIII.A
RA-05 Vulnerability Scanning
II.AII.A.2II.C.11III.AIV.AIV.A.2
RA-07 Risk Response
II.AII.A.2II.BII.D
RA-09 Criticality Analysis
II.AII.BII.C.5
RA-10 Threat Hunting
II.AII.A.1III.A

SA System and Services Acquisition

Control Name FFIEC IS References
SA-01 System And Services Acquisition Policy And Procedures
I.CII.C.1
SA-02 Allocation Of Resources
I.C
SA-03 Life Cycle Support
I.CII.C.17II.C.2
SA-04 Acquisitions
II.C.14II.C.17II.C.2II.C.20
SA-08 Security Engineering Principles
II.C.17II.C.2II.C.3
SA-09 External Information System Services
II.C.14II.C.20II.C.6
SA-10 Developer Configuration Management
II.C.10II.C.17
SA-11 Developer Security Testing
II.C.15(b)II.C.17IV.AIV.A.2
SA-15 Development Process, Standards, and Tools
II.C.17
SA-17 Developer Security and Privacy Architecture and Design
II.C.17II.C.2
SA-22 Unsupported System Components
II.C.11II.C.14

SC System and Communications Protection

Control Name FFIEC IS References
SC-01 System And Communications Protection Policy And Procedures
II.C.1
SC-02 Application Partitioning
II.C.15(b)II.C.2
SC-03 Security Function Isolation
II.C.15(a)II.C.2
SC-04 Information Remnance
II.C.18
SC-07 Boundary Protection
II.C.12II.C.16II.C.2II.C.6II.C.9
SC-08 Transmission Integrity
II.C.13II.C.13(b)II.C.15(c)II.C.16II.C.19II.C.6II.C.9
SC-10 Network Disconnect
II.C.15(c)II.C.6II.C.9
SC-11 Trusted Path
II.C.9
SC-12 Cryptographic Key Establishment And Management
II.C.13(b)II.C.15(c)II.C.16II.C.19
SC-13 Use Of Cryptography
II.C.13(b)II.C.15(c)II.C.16II.C.19
SC-16 Transmission Of Security Parameters
II.C.5
SC-17 Public Key Infrastructure Certificates
II.C.19
SC-18 Mobile Code
II.C.12
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
II.C.6
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
II.C.6
SC-22 Architecture And Provisioning For Name / Address Resolution Service
II.C.6
SC-23 Session Authenticity
II.C.13(b)II.C.16II.C.6II.C.9
SC-28 Protection of Information at Rest
II.C.13II.C.13(a)II.C.18II.C.19
SC-32 System Partitioning
II.C.2
SC-39 Process Isolation
II.C.15(a)II.C.2
SC-44 Detonation Chambers
II.C.12II.C.9

SI System and Information Integrity

Control Name FFIEC IS References
SI-01 System And Information Integrity Policy And Procedures
II.C.1
SI-02 Flaw Remediation
II.A.2II.C.11
SI-03 Malicious Code Protection
II.C.12
SI-04 Information System Monitoring Tools And Techniques
II.C.12II.C.16II.C.9II.DIII.AIII.BIII.C
SI-05 Security Alerts And Advisories
II.A.1III.AIII.BIII.CIII.D
SI-07 Software And Information Integrity
II.C.12III.B
SI-08 Spam Protection
II.C.12
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
II.C.17
SI-11 Error Handling
II.C.17
SI-12 Information Output Handling And Retention
II.C.13II.C.13(c)
SI-16 Memory Protection
II.C.12

SR Supply Chain Risk Management

Control Name FFIEC IS References
SR-01 Policy and Procedures
II.C.1II.C.14II.C.20
SR-02 Supply Chain Risk Management Plan
II.C.14II.C.20
SR-03 Supply Chain Controls and Processes
II.C.14II.C.20
SR-04 Provenance
II.C.14
SR-05 Acquisition Strategies, Tools, and Methods
II.C.14
SR-06 Supplier Assessments and Reviews
II.C.14II.C.20
SR-07 Supply Chain Operations Security
II.A.1II.C.14
SR-08 Notification Agreements
II.C.14
SR-09 Tamper Resistance and Detection
II.C.14
SR-10 Inspection of Systems or Components
II.C.14
SR-11 Component Authenticity
II.C.14
SR-12 Component Disposal
II.C.14