Here is the list of the updates carried out in August 2020, in preparation for the twentieth anniversary of the UCF®.
Merging and Retiring Common Controls
| Changed CC_ID | Changed Control Name | Change Type | Surviving CC_ID | Surviving Control Name |
5569 | Enable or disable the caching of RBAC exec_attr, as appropriate. | Merge | 5568 | Configure role-based access control (RBAC) caching elements to organizational standards |
| 5570 | Enable or disable the caching of RBAC user_attr, as appropriate. | Merge | 5568 | Configure role-based access control (RBAC) caching elements to organizational standards |
| 10054 | Assign accountability for the Information Governance Plan to senior management | Merge | 609 | Involve the Board of Directors in Information Governance. |
| 12672 | Include a description of the personal data processing operations in the Data Protection Impact Assessment has merged with 12673 | Merge | 12673 | Include the description and purpose of personal data processing in the Data Protection Impact Assessment. |
| 2051 | Report on the percentage of audit findings that have been corrected since the last audit. | Merge | 1678 | Report on the percentage of audit findings that have been resolved since the last audit. |
| 754 | Review and update the continuity plan. | Merge | 752 | Establish and maintain a continuity plan and associated continuity procedures. |
| 13300 | Review and update the recovery plan, as necessary. | Merge | 13288 | Establish and maintain a recovery plan. |
| 4498 | Update the system's backup procedures after an approved change has occurred. | Merge | 1258 | Establish and maintain backup procedures for in scope systems. |
| 6259 | Update the privacy policy, as necessary. | Merge | 6281 | Establish and maintain a privacy policy. |
| 13310 | Conduct external audits of the organization's risk assessment within any mandated timeframes. | Merge | 13308 | Conduct external audits of the organization's risk assessment. |
| 13263 | Include addressing telecommunication diversity in the business continuity testing strategy. | Merge | 13252 | Include addressing telecommunications circuit diversity in the business continuity testing strategy. |
| 1755 | Record actions taken to contain and limit a data loss event in the incident response report. | Merge | 12708 | Include corrective action that was taken to eradicate the security incident in the incident response report. |
| 7048 | Update the information classification standard regularly or when new threats are discovered. | Merge | 601 | Establish and maintain an information classification standard. |
| 528 | Include access control procedures in the access control program. | Merge | 11663 | Establish and maintain access control procedures. |
| 1121 | Conduct a management level post implementation review. | Merge | 1003 | Conduct a post implementation review when the system design project ends. |
| 1750 | Establish electronic authentication before transmitting restricted data or restricted information between devices. | Merge | 1429 | Require the system to identify and authenticate approved devices before establishing a connection to restricted data. |
| 12934 | Identify and document conditions of non-compliance with the organizational compliance framework. | Merge | 6499 | Identify and document instances of non-compliance with the organizational compliance framework. |
| 1082 | Implement security controls into the system during the development process. | Merge | 6270 | Implement security controls when developing systems. |
| 6652 | Change cipher lock codes upon authorized personnel status change or termination. | Merge | 6651 | Change cipher lock codes, as necessary. |
Moving Common Controls in the Hierarchy
| Changed CC_ID | Changed Control Name | Change Type | New Parent CC_ID | New Parent Control Name |
| 689 | Establish and maintain an Information Technology inventory with asset discovery audit trails. | Hierarchy Move | 6631 | Establish, implement, and maintain an asset inventory database. |
| 653 | Disseminate and communicate the reviews of audit reports to organizational management. | Hierarchy Move | 6731 | Establish and maintain organizational audit reports. |
| 6371 | Install and maintain remote control software and other remote control mechanisms on critical systems. | Hierarchy Move | 7117 | Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. |
| 6371 | Install and maintain remote control software and other remote control mechanisms on critical systems. | Hierarchy Move | 1421 | Control remote access through a network access control. |
| 12339 | Include the information flow of restricted data in the risk assessment program. | Hierarchy Move | 687 | Establish, implement, and maintain a risk assessment program. |
| 6447 | Include the need for risk assessments in the risk assessment program. | Hierarchy Move | 687 | Establish, implement, and maintain a risk assessment program. |
| 13093 | Refrain from adopting impromptu measures when continuity procedures exist. | Hierarchy Move | 10604 | Implement the continuity plan, as necessary. |
| 12324 | Prohibit remote access to systems processing cleartext restricted data or restricted information. | Hierarchy Move | 1421 | Control remote access through a network access control. |
| 11677 | Evaluate and react to when unauthorized access is detected by physical entry point alarms. | Hierarchy Move | 1639 | Monitor physical entry point alarms. |
| 6365 | Build the Information Technology facility with fire resistant materials. | Hierarchy Move | 6366 | Build the Information Technology facility according to applicable building codes. |
| 12571 | Monitor and review environmental protections. | Hierarchy Move | 12570 | Employ environmental protections. |
| 13236 | Include testing cycles and test scope in the business continuity testing policy. | Hierarchy Move | 13235 | Establish, implement, and maintain a business continuity testing policy. |
| 1369 | Include a system acquisition process for critical systems in the emergency mode operation plan. | Hierarchy Move | 11694 | Include emergency operating procedures in the continuity plan. |
1369 | Include a system acquisition process for critical systems in the emergency mode operation plan. | Hierarchy Move | 11694 | Include emergency operating procedures in the continuity plan. |