Authority Document - Unified Compliance

Back

North America > US National Institute of Standards and Technology

NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile

AD ID

0003990

AD STATUS

NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

NIST AI 600-1

NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile

EFFECTIVE

2024-07-01

ADDED

URL

Click here

AD ID

0003990

AD STATUS

Free

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

NIST AI 600-1

NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile

EFFECTIVE

2024-07-01

ADDED

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 121 Mandated Controls - bold
112 Implied Controls - italic 1463 Implementation

Number of Controls

1696 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Plan for acquiring facilities, technology, or services. CC ID 06892	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain system acquisition contracts. CC ID 14758	Establish/Maintain Documentation	Preventive
Include security requirements in system acquisition contracts. CC ID 01124	Establish/Maintain Documentation	Preventive
Require the information system developer to create a continuous monitoring plan. CC ID 14307 [Post-deployment AI system monitoring plans are ass="term_primary-verb">implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Establish/Maintain Documentation	Preventive
Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129	Acquisition/Sale of Assets or Services	Detective
Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Policies and procedures are in place that address AI risks associated with ry-noun">third-party entities, including risks of infringement of a third-party's intellectual property or other rights. Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third-party's intellectual property or other rights. GOVERN 6.1:]	Testing	Detective
Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Establish policies for user feedback mechanisms for GAI systems which include thorough instructions and any mechanisms for recourse. GV-3.2-004]	Business Processes	Preventive
Document consumer complaints. CC ID 13903	Business Processes	Preventive
Assess consumer complaints and litigation. CC ID 16521	Investigate	Preventive
Notify the complainant about their rights after receiving a complaint. CC ID 16794	Communicate	Preventive
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Establish/Maintain Documentation	Preventive
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Establish/Maintain Documentation	Preventive
Post contact information in an easily seen location at facilities. CC ID 13812	Communicate	Preventive
Provide users a list of the available dispute resolution bodies. CC ID 13814	Communicate	Preventive
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Communicate	Preventive
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208	Establish/Maintain Documentation	Preventive
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795	Communicate	Preventive
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Establish/Maintain Documentation	Preventive
Check communications for take-down requests. CC ID 09964	Monitor and Evaluate Occurrences	Preventive
Include complete information in the take-down request. CC ID 09965	Business Processes	Detective
Include the complainant's contact information in the take-down request. CC ID 09966	Business Processes	Detective
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Business Processes	Detective
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Business Processes	Detective
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Business Processes	Detective
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Business Processes	Preventive
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Business Processes	Detective
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Business Processes	Detective
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Behavior	Preventive
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Business Processes	Detective
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Establish/Maintain Documentation	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Establish/Maintain Documentation	Preventive
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Establish/Maintain Documentation	Preventive
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Business Processes	Preventive
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Business Processes	Preventive
Process product return requests. CC ID 11598	Acquisition/Sale of Assets or Services	Corrective
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition/Sale of Assets or Services	Corrective

Audits and risk management

310

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [The risk management process and its outcomes are established through transparent policies, procedures, and other controls basedspan> on organizational risk priorities. The risk management process and its outcomes are established through transparent policies, procedures, and other controls based on organizational risk priorities. GOVERN 1.4:]	Establish/Maintain Documentation	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Establish/Maintain Documentation	Preventive
Include data quality in the risk management strategies. CC ID 15308	Data and Information Management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Establish/Maintain Documentation	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Establish/Maintain Documentation	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{appropriate person} Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates. Domain experts, users, AI Actors external to the team that developed or deployed the AI system, and affected communities are consulted in support of assessments as necessary per organizational risk tolerance. MEASURE 1.3: Ongoing monitoring and periodic review of the risk management process and its outcomes are planned, and organizational roles and responsibilities are clearly defined, including determining the frequency of periodic review. GOVERN 1.5:]	Establish Roles	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [Maintain an updated hierarchy of identified and expected GAI risks connected to contexts of GAI model advancement and use, potentially including specialized risk levels for GAI systems that address issues such as model collapse and algorithmic monoculture. GV-1.3-005]	Establish/Maintain Documentation	Preventive
Document organizational risk criteria. CC ID 12277	Establish/Maintain Documentation	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Technical Security	Preventive
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Investigate	Detective
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and Risk Management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and Risk Management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and Risk Management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Establish/Maintain Documentation	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. MAP 5.1:]	Audits and Risk Management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6: {alert system} {no longer be used} Re-evaluate risks when adapting GAI models to new domains. Additionally, establish warning systems to determine if a GAI system is being used in a new domain where previous assumptions (relating to context of use or mapped risks such as security, and safety) may no longer hold. MP-4.1-008]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Establish/Maintain Documentation	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Establish/Maintain Documentation	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and Risk Management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Establish/Maintain Documentation	Detective
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and Risk Management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627	Establish/Maintain Documentation	Detective
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and Risk Management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Communicate	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and Risk Management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and Risk Management	Detective
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2:]	Communicate	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} Approaches and metrics for measurement of AI risks enumerated during the MAP function are selected for implementation starting with the most significant AI risks. The risks or trustworthiness characteristics that will not – or cannot – be measured are properly documented. MEASURE 1.1: Risks associated with transparency and accountability – as identified in the MAP function – are ary-verb">examined and documented. Risks associated with transparency and accountability – as identified in the MAP function – are examined and documented. MEASURE 2.8:]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [{be significant} Approaches and metrics for measurement of AI risks enumerated during the MAP function are selected for implementation starting with the most significant AI risks. The risks or trustworthiness characteristics that will not – or cannot – be measured are properly olor:#B7D8ED;" class="term_primary-verb">documented. MEASURE 1.1: Document risk measurement plans to address identified risks. Plans may include, as applicable: Individual and group cognitive biases (e.g., confirmation bias, funding bias, groupthink) for AI Actors involved in the design, implementation, and use of GAI systems; Known past GAI system incidents and failure modes; In-context use and foreseeable misuse, abuse, and off-label use; Over reliance on quantitative metrics and methodologies without sufficient awareness of their limitations in the context(s) of use; Standard measurement and structured human feedback approaches; Anticipated human-AI configurations. MP-1.1-003]	Audits and Risk Management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Process or Activity	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Process or Activity	Detective
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Process or Activity	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. MAP 5.1:]	Audits and Risk Management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Process or Activity	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Actionable Reports or Measurements	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and Risk Management	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Establish/Maintain Documentation	Preventive
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Investigate	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Processes, procedures, and practices are in place to determine the needed level of ry-noun">risk management activities based on the organization's risk tolerance. Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization's risk tolerance. GOVERN 1.3: Procedures are followed to respond to and recover from a previously unknown risk when it is identified. Procedures are followed to respond to and recover from a previously unknown risk when it is identified. MANAGE 2.3:]	Establish/Maintain Documentation	Preventive
Approve the risk acceptance level, as necessary. CC ID 17168	Process or Activity	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Behavior	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Establish/Maintain Documentation	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and yle="background-color:#B7D8ED;" class="term_primary-verb">documented. Risk response options can include mitigating, transferring, avoiding, or accepting. Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. MANAGE 1.3: Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, background-color:#B7D8ED;" class="term_primary-verb">planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. MANAGE 1.3: AI risks and benefits from third-party resources are regularly monitored, and risk controls are appliedan> and documented. AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. MANAGE 3.1:]	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 [Include relevant AI Actors in the GAI system risk identification process. GV-4.2-002 Establish policies and procedures to test and manage risks related to rollover and fallback technologies for GAI systems, acknowledging that rollover and fallback may include manual processing. GV-6.2-006 Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party's intellectual property or other rights. MAP 4.1: {risk evaluation} Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations. GV-1.2-002]	Establish/Maintain Documentation	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 [{be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience style="background-color:#F0BBBC;" class="term_primary-noun">expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2:]	Establish/Maintain Documentation	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Business Processes	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and Risk Management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and Risk Management	Detective
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Establish/Maintain Documentation	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 [AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. MANAGE 3.1:]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a disclosure report. CC ID 15521	Establish/Maintain Documentation	Preventive
Include metrics in the disclosure report. CC ID 15916 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Establish/Maintain Documentation	Preventive
Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934	Establish/Maintain Documentation	Preventive
Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632	Establish/Maintain Documentation	Preventive
Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871	Establish/Maintain Documentation	Preventive
Include the number of individuals in each region in the disclosure report. CC ID 15835	Establish/Maintain Documentation	Preventive
Include the number of individuals in each gender category in the disclosure report. CC ID 15633	Establish/Maintain Documentation	Preventive
Include the total number of incidents of discrimination in the disclosure report. CC ID 15788	Establish/Maintain Documentation	Preventive
Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870	Establish/Maintain Documentation	Preventive
Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952	Actionable Reports or Measurements	Detective
Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869	Establish/Maintain Documentation	Preventive
Include metrics criteria in the disclosure report. CC ID 16143	Establish/Maintain Documentation	Preventive
Include risk management metrics in the disclosure report. CC ID 16345	Establish/Maintain Documentation	Preventive
Include financial management metrics in the disclosure report. CC ID 16042	Establish/Maintain Documentation	Preventive
Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107	Actionable Reports or Measurements	Detective
Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101	Actionable Reports or Measurements	Detective
Include revenues in the disclosure report. CC ID 16099	Actionable Reports or Measurements	Detective
Include the economic value distributed in the disclosure report. CC ID 16086	Actionable Reports or Measurements	Detective
Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092	Actionable Reports or Measurements	Detective
Include total monetary value of payments to governments in the disclosure report. CC ID 16091	Actionable Reports or Measurements	Detective
Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090	Actionable Reports or Measurements	Detective
Include total monetary value of community investments in the disclosure report. CC ID 16089	Actionable Reports or Measurements	Detective
Include operating costs in the disclosure report. CC ID 16088	Actionable Reports or Measurements	Detective
Include economic value retained in the disclosure report. CC ID 16094	Actionable Reports or Measurements	Detective
Include the direct economic value generated and distributed in the disclosure report. CC ID 16085	Actionable Reports or Measurements	Detective
Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087	Actionable Reports or Measurements	Detective
Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106	Actionable Reports or Measurements	Detective
Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105	Actionable Reports or Measurements	Detective
Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104	Establish/Maintain Documentation	Preventive
Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102	Actionable Reports or Measurements	Detective
Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100	Actionable Reports or Measurements	Detective
Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097	Actionable Reports or Measurements	Detective
Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095	Actionable Reports or Measurements	Detective
Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050	Actionable Reports or Measurements	Detective
Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048	Actionable Reports or Measurements	Detective
Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046	Actionable Reports or Measurements	Detective
Include revenues from third party sales in the disclosure report. CC ID 16045	Actionable Reports or Measurements	Detective
Include the profit and loss before tax in the disclosure report. CC ID 16044	Actionable Reports or Measurements	Detective
Include metrics on anti-corruption in the disclosure report. CC ID 16052	Establish/Maintain Documentation	Preventive
Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073	Actionable Reports or Measurements	Detective
Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072	Actionable Reports or Measurements	Detective
Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071	Actionable Reports or Measurements	Detective
Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070	Actionable Reports or Measurements	Detective
Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069	Actionable Reports or Measurements	Detective
Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068	Actionable Reports or Measurements	Detective
Include the total number of incidents of corruption in the disclosure report. CC ID 16066	Actionable Reports or Measurements	Detective
Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063	Actionable Reports or Measurements	Detective
Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062	Actionable Reports or Measurements	Detective
Include environmental management metrics in the disclosure report. CC ID 16012	Establish/Maintain Documentation	Preventive
Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038	Actionable Reports or Measurements	Detective
Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041	Establish/Maintain Documentation	Preventive
Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032	Actionable Reports or Measurements	Detective
Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023	Actionable Reports or Measurements	Detective
Include metrics on procurement practices in the disclosure report. CC ID 16011	Establish/Maintain Documentation	Preventive
Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022	Actionable Reports or Measurements	Detective
Include emissions management metrics in the disclosure report. CC ID 15987	Establish/Maintain Documentation	Preventive
Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340	Actionable Reports or Measurements	Detective
Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083	Actionable Reports or Measurements	Detective
Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081	Actionable Reports or Measurements	Detective
Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079	Actionable Reports or Measurements	Detective
Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013	Actionable Reports or Measurements	Detective
Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009	Actionable Reports or Measurements	Detective
Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146	Actionable Reports or Measurements	Detective
Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008	Actionable Reports or Measurements	Detective
Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007	Actionable Reports or Measurements	Detective
Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006	Actionable Reports or Measurements	Detective
Include the total amount of significant air emissions in the disclosure report. CC ID 16005	Actionable Reports or Measurements	Detective
Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084	Actionable Reports or Measurements	Detective
Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082	Actionable Reports or Measurements	Detective
Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080	Actionable Reports or Measurements	Detective
Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078	Actionable Reports or Measurements	Detective
Include the total emissions of particulate matter in the disclosure report. CC ID 16077	Actionable Reports or Measurements	Detective
Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076	Actionable Reports or Measurements	Detective
Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004	Actionable Reports or Measurements	Detective
Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999	Actionable Reports or Measurements	Detective
Include compliance metrics in the disclosure report. CC ID 15932	Establish/Maintain Documentation	Preventive
Include the total number of legal actions against the organization in the disclosure report. CC ID 16003	Actionable Reports or Measurements	Detective
Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548	Establish/Maintain Documentation	Preventive
Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950	Actionable Reports or Measurements	Detective
Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813	Establish/Maintain Documentation	Preventive
Include metrics on labor-management relations in the disclosure report. CC ID 15935	Establish/Maintain Documentation	Preventive
Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895	Establish/Maintain Documentation	Preventive
Include waste management metrics in the disclosure report. CC ID 15925	Establish/Maintain Documentation	Preventive
Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163	Actionable Reports or Measurements	Detective
Include the total volume of significant spills in the disclosure report. CC ID 16010	Actionable Reports or Measurements	Detective
Include the total number of significant spills in the disclosure report. CC ID 15965	Actionable Reports or Measurements	Detective
Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774	Establish/Maintain Documentation	Preventive
Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781	Establish/Maintain Documentation	Preventive
Include the total weight of waste generated in the disclosure report. CC ID 15778	Establish/Maintain Documentation	Preventive
Include a breakdown of waste generated in the disclosure report. CC ID 15775	Establish/Maintain Documentation	Preventive
Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772	Establish/Maintain Documentation	Preventive
Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780	Establish/Maintain Documentation	Preventive
Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770	Establish/Maintain Documentation	Preventive
Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771	Establish/Maintain Documentation	Preventive
Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766	Establish/Maintain Documentation	Preventive
Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767	Establish/Maintain Documentation	Preventive
Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768	Establish/Maintain Documentation	Preventive
Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769	Establish/Maintain Documentation	Preventive
Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777	Establish/Maintain Documentation	Preventive
Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776	Establish/Maintain Documentation	Preventive
Include product and service management metrics in the disclosure report. CC ID 15917	Establish/Maintain Documentation	Preventive
Include the performance qualification score of laptops in the disclosure report. CC ID 16176	Actionable Reports or Measurements	Detective
Include the battery life score of laptops in the disclosure report. CC ID 16175	Actionable Reports or Measurements	Detective
Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174	Actionable Reports or Measurements	Detective
Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172	Actionable Reports or Measurements	Detective
Include the energy efficiency of server processors in the disclosure report. CC ID 16170	Actionable Reports or Measurements	Detective
Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162	Actionable Reports or Measurements	Detective
Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159	Actionable Reports or Measurements	Detective
Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160	Actionable Reports or Measurements	Detective
Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157	Actionable Reports or Measurements	Detective
Include the average actual sustained download speed in the disclosure report. CC ID 15568	Actionable Reports or Measurements	Detective
Include the number of products and services provided by the organization in the disclosure report. CC ID 15833	Establish/Maintain Documentation	Preventive
Include the average advertised download speed in the disclosure report. CC ID 15567	Actionable Reports or Measurements	Detective
Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811	Establish/Maintain Documentation	Preventive
Include water management metrics in the disclosure report. CC ID 15924	Establish/Maintain Documentation	Preventive
Include the total water withdrawal in the disclosure report. CC ID 15593	Establish/Maintain Documentation	Preventive
Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596	Establish/Maintain Documentation	Preventive
Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794	Establish/Maintain Documentation	Preventive
Include a breakdown of water withdrawal in the disclosure report. CC ID 15795	Establish/Maintain Documentation	Preventive
Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949	Actionable Reports or Measurements	Detective
Include the total water discharge in the disclosure report. CC ID 15758	Establish/Maintain Documentation	Preventive
Include a breakdown of water discharge in the disclosure report. CC ID 15759	Establish/Maintain Documentation	Preventive
Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760	Establish/Maintain Documentation	Preventive
Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797	Establish/Maintain Documentation	Preventive
Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948	Actionable Reports or Measurements	Detective
Include the total water consumption in the disclosure report. CC ID 15642	Establish/Maintain Documentation	Preventive
Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598	Establish/Maintain Documentation	Preventive
Include the total number of complaints received in the disclosure report. CC ID 15728	Establish/Maintain Documentation	Preventive
Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643	Establish/Maintain Documentation	Preventive
Include employment practices metrics in the disclosure report. CC ID 15921	Establish/Maintain Documentation	Preventive
Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228	Actionable Reports or Measurements	Detective
Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217	Actionable Reports or Measurements	Detective
Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108	Actionable Reports or Measurements	Detective
Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103	Actionable Reports or Measurements	Detective
Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002	Actionable Reports or Measurements	Detective
Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001	Actionable Reports or Measurements	Detective
Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622	Actionable Reports or Measurements	Preventive
Include the percentage of offshore employees in the disclosure report. CC ID 15623	Actionable Reports or Measurements	Preventive
Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931	Actionable Reports or Measurements	Detective
Include the rate of new employee hires in the disclosure report. CC ID 15928	Actionable Reports or Measurements	Detective
Include the rate of employee turnover in the disclosure report. CC ID 15898	Establish/Maintain Documentation	Preventive
Include the total number of employees who left the organization in the disclosure report. CC ID 16127	Actionable Reports or Measurements	Detective
Include the total number of new employee hires in the disclosure report. CC ID 15896	Establish/Maintain Documentation	Preventive
Include the total number of employees in the disclosure report. CC ID 15834	Establish/Maintain Documentation	Preventive
Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214	Actionable Reports or Measurements	Detective
Include metrics on parental leave in the disclosure report. CC ID 15936	Establish/Maintain Documentation	Preventive
Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906	Establish/Maintain Documentation	Preventive
Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960	Actionable Reports or Measurements	Detective
Include the total number of employees that took parental leave in the disclosure report. CC ID 15955	Actionable Reports or Measurements	Detective
Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946	Actionable Reports or Measurements	Detective
Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958	Actionable Reports or Measurements	Detective
Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962	Actionable Reports or Measurements	Detective
Include the number of hours worked in the disclosure report. CC ID 15910	Establish/Maintain Documentation	Preventive
Include the percentage of employee engagement in the disclosure report. CC ID 15634	Actionable Reports or Measurements	Preventive
Include metrics on public policy advocacy in the disclosure report. CC ID 15947	Establish/Maintain Documentation	Preventive
Include the total monetary value of political contributions in the disclosure report. CC ID 15803	Establish/Maintain Documentation	Preventive
Include metrics on training and education in the disclosure report. CC ID 15940	Establish/Maintain Documentation	Preventive
Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877	Establish/Maintain Documentation	Preventive
Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881	Establish/Maintain Documentation	Preventive
Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726	Actionable Reports or Measurements	Preventive
Include operational metrics in the disclosure report. CC ID 15939	Establish/Maintain Documentation	Preventive
Include incident management metrics in the disclosure report. CC ID 15926	Establish/Maintain Documentation	Preventive
Include the user average interruption duration in the disclosure report. CC ID 15558	Actionable Reports or Measurements	Detective
Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618	Establish/Maintain Documentation	Preventive
Include the system average interruption frequency in the disclosure report. CC ID 15565	Actionable Reports or Measurements	Detective
Include the total user downtime in the disclosure report. CC ID 15635	Actionable Reports or Measurements	Preventive
Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606	Establish/Maintain Documentation	Preventive
Include the total number of operations performed by the organization in the disclosure report. CC ID 15831	Establish/Maintain Documentation	Preventive
Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933	Establish/Maintain Documentation	Preventive
Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649	Actionable Reports or Measurements	Preventive
Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500	Actionable Reports or Measurements	Detective
Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792	Actionable Reports or Measurements	Preventive
Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557	Establish/Maintain Documentation	Preventive
Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729	Establish/Maintain Documentation	Preventive
Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560	Actionable Reports or Measurements	Detective
Include the number of content removal requests in the disclosure report. CC ID 15647	Establish/Maintain Documentation	Preventive
Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640	Establish/Maintain Documentation	Preventive
Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542	Establish/Maintain Documentation	Preventive
Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951	Actionable Reports or Measurements	Detective
Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543	Establish/Maintain Documentation	Preventive
Include third party management metrics in the disclosure report. CC ID 15923	Establish/Maintain Documentation	Preventive
Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837	Establish/Maintain Documentation	Preventive
Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216	Actionable Reports or Measurements	Detective
Include metrics on supplier social assessments in the disclosure report. CC ID 15938	Establish/Maintain Documentation	Preventive
Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808	Establish/Maintain Documentation	Preventive
Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807	Establish/Maintain Documentation	Preventive
Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806	Establish/Maintain Documentation	Preventive
Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805	Establish/Maintain Documentation	Preventive
Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810	Establish/Maintain Documentation	Preventive
Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937	Establish/Maintain Documentation	Preventive
Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884	Establish/Maintain Documentation	Preventive
Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883	Establish/Maintain Documentation	Preventive
Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886	Establish/Maintain Documentation	Preventive
Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885	Establish/Maintain Documentation	Preventive
Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887	Establish/Maintain Documentation	Preventive
Include customer health and safety management metrics in the disclosure report. CC ID 15922	Establish/Maintain Documentation	Preventive
Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814	Establish/Maintain Documentation	Preventive
Include energy management metrics in the disclosure report. CC ID 15920	Establish/Maintain Documentation	Preventive
Include the total energy reduction in the disclosure report. CC ID 15749	Establish/Maintain Documentation	Preventive
Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751	Establish/Maintain Documentation	Preventive
Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750	Establish/Maintain Documentation	Preventive
Include the power usage effectiveness in the disclosure report. CC ID 15552	Actionable Reports or Measurements	Detective
Include the total heating sold in the disclosure report. CC ID 15739	Establish/Maintain Documentation	Preventive
Include the energy intensity ratio in the disclosure report. CC ID 15735	Actionable Reports or Measurements	Preventive
Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746	Establish/Maintain Documentation	Preventive
Include the total electricity sold in the disclosure report. CC ID 15740	Establish/Maintain Documentation	Preventive
Include the total energy consumption in the disclosure report. CC ID 15506	Establish/Maintain Documentation	Preventive
Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744	Establish/Maintain Documentation	Preventive
Include the total heating consumption in the disclosure report. CC ID 15743	Establish/Maintain Documentation	Preventive
Include the total cooling sold in the disclosure report. CC ID 15738	Establish/Maintain Documentation	Preventive
Include the total cooling consumption in the disclosure report. CC ID 15742	Establish/Maintain Documentation	Preventive
Include the total steam sold in the disclosure report. CC ID 15737	Establish/Maintain Documentation	Preventive
Include the total steam consumption in the disclosure report. CC ID 15741	Establish/Maintain Documentation	Preventive
Include the fuel types used in the disclosure report. CC ID 15745	Establish/Maintain Documentation	Preventive
Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549	Actionable Reports or Measurements	Detective
Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541	Actionable Reports or Measurements	Detective
Include materials management metrics in the disclosure report. CC ID 15919	Establish/Maintain Documentation	Preventive
Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563	Actionable Reports or Measurements	Detective
Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574	Actionable Reports or Measurements	Detective
Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791	Establish/Maintain Documentation	Preventive
Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562	Establish/Maintain Documentation	Preventive
Include the weight of recovered materials in the disclosure report. CC ID 16203	Actionable Reports or Measurements	Detective
Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578	Actionable Reports or Measurements	Detective
Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792	Establish/Maintain Documentation	Preventive
Include occupational health and safety management metrics in the disclosure report. CC ID 15918	Establish/Maintain Documentation	Preventive
Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891	Establish/Maintain Documentation	Preventive
Include the total number of work-related injuries in the disclosure report. CC ID 15899	Establish/Maintain Documentation	Preventive
Include the number of cases of work-related ill health in the disclosure report. CC ID 15914	Establish/Maintain Documentation	Preventive
Include the rate of work-related injuries in the disclosure report. CC ID 15944	Actionable Reports or Measurements	Detective
Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943	Actionable Reports or Measurements	Detective
Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207	Actionable Reports or Measurements	Detective
Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954	Actionable Reports or Measurements	Detective
Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942	Actionable Reports or Measurements	Detective
Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953	Actionable Reports or Measurements	Detective
Include how material topics are managed in the disclosure report. CC ID 15657	Establish/Maintain Documentation	Preventive
Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 [Observe and analyze how the GAI system interacts with external networks, and identify any potential for negative externalities, particularly where content provenance might be compromised. MP-2.2-002]	Establish/Maintain Documentation	Preventive

Harmonization Methods and Manual of Style

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Harmonization Methods and Manual of Style CC ID 06095	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain organizational documents. CC ID 16202 [Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and style="backgrpan>ound-color:#B7D8ED;" class="term_primary-verb">taking round-color:#F0BBBC;" class="term_primary-noun">subsequent actions. Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI Actors when making decisions and taking subsequent actions. MAP 2.2: Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is " class="termn style="background-color:#CBD0E5;" class="term_secondary-verb">_primary-verb">documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and taking subsequent actions. Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI Actors when making decisions and taking subsequent actions. MAP 2.2:]	Establish/Maintain Documentation	Preventive
Use unique titles for organizational documents. CC ID 16289	Establish/Maintain Documentation	Preventive
Write organizational documents using clear and conspicuous language. CC ID 16281	Establish/Maintain Documentation	Preventive
Write organizational documents using information that is free from bias. CC ID 16341	Establish/Maintain Documentation	Preventive
Include the publication date on organizational documents. CC ID 16269	Establish/Maintain Documentation	Preventive
Include version control on organizational documents. CC ID 16268	Establish/Maintain Documentation	Preventive
Include the version number on organizational documents. CC ID 16266	Establish/Maintain Documentation	Preventive
Include the author's name and job title on organizational documents. CC ID 16265	Establish/Maintain Documentation	Preventive
Include a record of changes in organizational documents. CC ID 16252	Establish/Maintain Documentation	Preventive
Include page numbers in the record of changes. CC ID 16280	Establish/Maintain Documentation	Preventive
Include change comments in the record of changes. CC ID 16279	Establish/Maintain Documentation	Preventive
Include the date of the change in the record of changes. CC ID 16278	Establish/Maintain Documentation	Preventive
Organize all compliance documents. CC ID 06096	Establish/Maintain Documentation	Preventive
Organize all compliance documents to fit the message. CC ID 06097	Establish/Maintain Documentation	Preventive
Identify the target audience for compliance documents. CC ID 06108	Establish/Maintain Documentation	Preventive
Define the structure for compliance documents and governance documents. CC ID 06111	Establish/Maintain Documentation	Preventive
Subordinate the structure of the compliance document to fit the topic. CC ID 06109	Establish/Maintain Documentation	Preventive
Define visual and formatting styles for all structured headings. CC ID 06110	Establish/Maintain Documentation	Preventive
Define the section heading style, if section headings are being used. CC ID 06112	Establish/Maintain Documentation	Preventive
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113	Establish/Maintain Documentation	Preventive
Place the table of contents at the document's beginning. CC ID 06114	Establish/Maintain Documentation	Preventive
Add term definitions to the document's end. CC ID 06115	Establish/Maintain Documentation	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the assessment team's roles and responsibilities. CC ID 08890	Business Processes	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 [{appropriate person} Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates. Domain experts, users, AI Actors external to the team that developed or deployed the AI system, and affected communities are consulted in support of le="background-color:#F0BBBC;" class="term_primary-noun">assessments as necessary per organizational risk tolerance. MEASURE 1.3:]	Human Resources Management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 [Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are or:#B7D8ED;" class="term_primary-verb">documented and are clear to individuals and teams throughout the organization. Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. GOVERN 2.1:]	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Define organizational responsibilities for periodic review of content provenance and incident monitoring for GAI systems. GV-1.5-001]	Human Resources Management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources Management	Preventive
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Establish Roles	Preventive
Document the use of external experts. CC ID 16263	Human Resources Management	Preventive
Define and assign roles and responsibilities for the biometric system. CC ID 17004	Human Resources Management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are or:#B7D8ED;" class="term_primary-verb">documented and are clear to individuals and teams throughout the organization. Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. GOVERN 2.1: {be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their ;" class="term_primary-noun">participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2: Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts ckground-color:#B7D8ED;" class="term_primary-verb">are in -verb">place> and documented. Practices and personnel for supporting regular engagement with relevant AI Actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. MAP 5.2: When systems may raise national security risks, involve national security professionals in mapping, measuring, and managing those risks. GV-2.1-004 Establish and empower interdisciplinary teams that reflect a wide range of capabilities, competencies, demographic groups, domain expertise, educational backgrounds, lived experiences, professions, and skills across the enterprise to inform and conduct risk measurement and management functions. MP-1.2-001]	Human Resources Management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources Management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Establish Roles	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources Management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Establish Roles	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources Management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Establish Roles	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Establish Roles	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Establish Roles	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Establish Roles	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Establish Roles	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Establish Roles	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368 [Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. GOVERN 3.2: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate d-color:#F0BBBC;" class="term_primary-noun">AI systems that demonstrate performance or outcomes inconsistent with intended use. Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. MANAGE 2.4:]	Establish/Maintain Documentation	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Establish Roles	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Establish Roles	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Establish Roles	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Establish Roles	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Establish Roles	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources Management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources Management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources Management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [Conduct joint educational activities and events in collaboration with third parties to promote best practices for managing GAI risks. GV-6.1-002]	Business Processes	Preventive
Support certification programs as viable training programs. CC ID 13268 [Develop certification programs that test proficiency in managing GAI risks and interpreting content provenance, relevant to specific industry and context. MP-3.4-003]	Human Resources Management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362	Behavior	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Behavior	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Behavior	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Behavior	Preventive
Document all training in a training record. CC ID 01423	Establish/Maintain Documentation	Detective
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672 [{be appropriate} Establish processes to verify the AI Actors conducting GAI incident response tasks demonstrate and maintain the appropriate skills and training. GV-2.1-003]	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Develop or acquire content to update the training plans. CC ID 12867 [Adapt existing training programs to include modules on digital content transparency. MP-3.4-002]	Training	Preventive
Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101	Training	Preventive
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201	Business Processes	Preventive
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 [{risk evaluation} Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations. GV-1.2-002]	Establish/Maintain Documentation	Preventive
Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274	Business Processes	Preventive
Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270	Communicate	Preventive
Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the occupational health and safety policy. CC ID 16287	Establish/Maintain Documentation	Preventive
Include management commitment in the occupational health and safety policy. CC ID 16264	Behavior	Preventive
Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262	Establish/Maintain Documentation	Preventive
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073	Establish/Maintain Documentation	Preventive
Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074	Physical and Environmental Protection	Preventive
Install duress alarms in susceptible public areas. CC ID 06075	Physical and Environmental Protection	Preventive
Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550	Human Resources Management	Preventive
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802	Establish/Maintain Documentation	Preventive
Provide protective face masks for critical personnel, as necessary. CC ID 06803	Human Resources Management	Preventive
Establish, implement, and maintain food preparation procedures. CC ID 06804	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain food handling procedures. CC ID 11765	Establish/Maintain Documentation	Preventive
Vaccinate critical employees, as necessary. CC ID 06805	Human Resources Management	Preventive
Protect personnel from work-related intimidation. CC ID 07046	Behavior	Preventive
Establish, implement, and maintain a travel program for all personnel. CC ID 10597	Human Resources Management	Preventive
Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076	Human Resources Management	Preventive
Refrain from using gifted mobile devices. CC ID 16460	Acquisition/Sale of Assets or Services	Preventive
Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218	Business Processes	Preventive
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598	Configuration	Preventive
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599	Process or Activity	Detective
Establish, implement, and maintain an ethics program. CC ID 11496	Human Resources Management	Preventive
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Business Processes	Preventive
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 [Create mechanisms to provide protections for whistleblowers who report, based on reasonable belief, when the organization violates relevant laws or poses a specific and empirically well-substantiated negative risk to public safety (or has already caused harm). GV-2.1-005]	Communicate	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Business Processes	Preventive
Establish, implement, and maintain communication protocols. CC ID 12245	Establish/Maintain Documentation	Preventive
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [{be external} Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the BC;" class="term_primary-noun">AI system regarding the potential individual and societal un">impactstyle="background-color:#CBD0E5;" class="term_secondary-verb">span> related to un">AI risks. GOVERN 5.1: {be external} Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the BC;" class="term_primary-noun">AI system regarding the potential individual and societal un">impactstyle="background-color:#CBD0E5;" class="term_secondary-verb">span> related to un">AI risks. GOVERN 5.1: Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts ckground-color:#B7D8ED;" class="term_primary-verb">are in -verb">place> and documented. Practices and personnel for supporting regular engagement with relevant AI Actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. MAP 5.2: Feedback processes for end users and impacted communities to report problems and appeal system outcomes are lor:#B7D8ED;" class=verb">"term_primary-verb">established and integrated into AI system evaluation metrics. Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics. MEASURE 3.3: Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evalverb">uation tyle="background-color:#F0BBBC;" class="term_primary-noun">metrics. Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics. MEASURE 3.3: Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating erm_primaan>ry-no<span style="background-color:#CBD0E5;" class="term_secondary-verb">un">input</span> from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1: Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI actors. Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI Actors. MANAGE 4.2: Obtain input from stakeholder communities to identify unacceptable use, in accordance with activities in the AI RMF Map function. GV-1.3-004]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain alert procedures. CC ID 12406 [{alert system} {no longer be used} Re-evaluate risks when adapting GAI models to new domains. Additionally, establish warning systems to determine if a GAI system is being used in a new domain where previous assumptions (relating to context of use or mapped risks such as security, and safety) may no longer hold. MP-4.1-008]	Establish/Maintain Documentation	Preventive
Include the criteria for notifications in the notification system. CC ID 17139	Establish/Maintain Documentation	Preventive
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Monitor and Evaluate Occurrences	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591 [Mechanisms are in place and applied to sustain the value of deployed ss="term_primary-noun">AI systems. Mechanisms are in place and applied to sustain the value of deployed AI systems. MANAGE 2.2:]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Communicate	Preventive
Include value distribution in the value generation model. CC ID 15603	Establish/Maintain Documentation	Preventive
Include value retention in the value generation model. CC ID 15600	Establish/Maintain Documentation	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002 Review and document accuracy, representativeness, relevance, suitability of data used at different stages of AI life cycle. MP-2.3-002]	Establish/Maintain Documentation	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Establish/Maintain Documentation	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Establish/Maintain Documentation	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Establish/Maintain Documentation	Preventive
Include the data source in the data governance and management practices. CC ID 17211	Data and Information Management	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Establish/Maintain Documentation	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Establish/Maintain Documentation	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Establish/Maintain Documentation	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Establish/Maintain Documentation	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Establish/Maintain Documentation	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [{internal use} When identifying intended purposes, consider factors such as internal vs. external use, narrow vs. broad application scope, fine-tuning, and varieties of data sources (e.g., grounding, retrieval-augmented generation). MP-1.1-001]	Establish/Maintain Documentation	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Legal and regulatory requirements involving AI are understood, managed, and B7D8ED;" class="term_primary-verb">documented. Legal and regulatory requirements involving AI are understood, managed, and documented. GOVERN 1.1:]	Establish/Maintain Documentation	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Define any inventory exemptions in organizational policies for GAI systems embedded into application software. GV-1.6-002]	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Establish/Maintain Documentation	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Business Processes	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Establish Roles	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Communicate	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Establish/Maintain Documentation	Preventive
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 [Reevaluate organizational risk tolerances to account for unacceptable negative risk (such as where significant negative impacts are imminent, severe harms are actually occurring, or large-scale risks could occur); and broad GAI negative risks, including: Immature safety or risk cultures related to AI and GAI design, development and deployment, public information integrity risks, including impacts on democratic processes, unknown long-term performance characteristics of GAI. GV-1.3-006]	Establish/Maintain Documentation	Preventive

Monitoring and measurement

279

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Monitor and evaluate system performance. CC ID 00651 [Pre-trained models which are used for development are erm_primary-verb">monitored as part of AI system regular monitoring and maintenance. Pre-trained models which are used for development are monitored as part of AI system regular monitoring and maintenance. MANAGE 3.2:]	Monitor and Evaluate Occurrences	Detective
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156	Communicate	Preventive
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155	Communicate	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available. Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available. MEASURE 3.2: Ongoing monitoring and periodic review of the risk management process and its outcomes are planned, and organizational roles and responsibilities are clearly defined, including determining the frequency of periodic review. GOVERN 1.5:]	Establish/Maintain Documentation	Preventive
Monitor the organization's exposure to threats, as necessary. CC ID 06494	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate environmental threats. CC ID 13481	Monitor and Evaluate Occurrences	Detective
Implement a fraud detection system. CC ID 13081	Business Processes	Preventive
Update or adjust fraud detection systems, as necessary. CC ID 13684	Process or Activity	Corrective
Monitor for new vulnerabilities. CC ID 06843	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Testing	Preventive
Test compliance controls for proper functionality. CC ID 00660	Testing	Detective
Establish, implement, and maintain a system security plan. CC ID 01922	Testing	Preventive
Include a system description in the system security plan. CC ID 16467	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Establish/Maintain Documentation	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Establish/Maintain Documentation	Preventive
Include the information types in the system security plan. CC ID 14696	Establish/Maintain Documentation	Preventive
Include the security requirements in the system security plan. CC ID 14274	Establish/Maintain Documentation	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Establish/Maintain Documentation	Preventive
Include threats in the system security plan. CC ID 14693	Establish/Maintain Documentation	Preventive
Include network diagrams in the system security plan. CC ID 14273	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Establish/Maintain Documentation	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 [Privacy risk of the AI system – as identified in the MAP function – is examined and le="background-color:#B7D8ED;" class="term_primary-verb">documented. Privacy risk of the AI system – as identified in the MAP function – is examined and documented. MEASURE 2.10:]	Establish/Maintain Documentation	Preventive
Include remote access methods in the system security plan. CC ID 16441	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Communicate	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Establish/Maintain Documentation	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the system security plan. CC ID 14255	Process or Activity	Preventive
Include security controls in the system security plan. CC ID 14239	Establish/Maintain Documentation	Preventive
Create specific test plans to test each system component. CC ID 00661	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Establish/Maintain Documentation	Preventive
Include the assessment team in the test plan. CC ID 14297	Establish/Maintain Documentation	Preventive
Include the scope in the test plans. CC ID 14293	Establish/Maintain Documentation	Preventive
Include the assessment environment in the test plan. CC ID 14271	Establish/Maintain Documentation	Preventive
Approve the system security plan. CC ID 14241	Business Processes	Preventive
Adhere to the system security plan. CC ID 11640	Testing	Detective
Review the test plans for each system component. CC ID 00662	Establish/Maintain Documentation	Preventive
Validate all testing assumptions in the test plans. CC ID 00663	Testing	Detective
Document validated testing processes in the testing procedures. CC ID 06200	Establish/Maintain Documentation	Preventive
Require testing procedures to be complete. CC ID 00664	Testing	Detective
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Establish/Maintain Documentation	Preventive
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Testing	Preventive
Implement automated audit tools. CC ID 04882	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071	Human Resources Management	Preventive
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Testing	Detective
Monitor devices continuously for conformance with production specifications. CC ID 06201	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a testing program. CC ID 00654 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Behavior	Preventive
Conduct Red Team exercises, as necessary. CC ID 12131	Technical Security	Detective
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031	Establish/Maintain Documentation	Preventive
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222	Establish/Maintain Documentation	Preventive
Include the scope in the security assessment and authorization policy. CC ID 14220	Establish/Maintain Documentation	Preventive
Include the purpose in the security assessment and authorization policy. CC ID 14219	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218	Communicate	Preventive
Include management commitment in the security assessment and authorization policy. CC ID 14189	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security assessment and authorization policy. CC ID 14183	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056	Establish/Maintain Documentation	Preventive
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224	Communicate	Preventive
Test security systems and associated security procedures, as necessary. CC ID 11901	Technical Security	Detective
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Human Resources Management	Preventive
Enable security controls which were disabled to conduct testing. CC ID 17031	Testing	Preventive
Document improvement actions based on test results and exercises. CC ID 16840	Establish/Maintain Documentation	Preventive
Disable dedicated accounts after testing is complete. CC ID 17033	Testing	Preventive
Protect systems and data during testing in the production environment. CC ID 17198	Testing	Preventive
Delete personal data upon data subject's withdrawal from testing. CC ID 17238	Data and Information Management	Preventive
Define the criteria to conduct testing in the production environment. CC ID 17197	Testing	Preventive
Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232	Behavior	Preventive
Suspend testing in a production environment, as necessary. CC ID 17231	Testing	Preventive
Define the test requirements for each testing program. CC ID 13177 [Implement plans for GAI systems to undergo regular adversarial testing to identify vulnerabilities and potential manipulation or misuse. MP-2.3-005 Delineate human proficiency tests from tests of GAI capabilities. MP-3.4-004]	Establish/Maintain Documentation	Preventive
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Testing	Detective
Include test requirements for the use of production data in the testing program. CC ID 17201	Testing	Preventive
Include test requirements for the use of human subjects in the testing program. CC ID 16222 [Evaluations involving human subjects meet ss="term_primary-noun">applicable requirements (including human subject protection) and are representative of the relevant population. Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population. MEASURE 2.2: Evaluations involving human subjects meet applicable requirements (including human subject protection) and _primary-verb">are representative of the relevant population. Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population. MEASURE 2.2:]	Testing	Preventive
Test the in scope system in accordance with its intended purpose. CC ID 14961	Testing	Preventive
Perform network testing in accordance with organizational standards. CC ID 16448	Testing	Preventive
Notify interested personnel and affected parties prior to performing testing. CC ID 17034	Communicate	Preventive
Test user accounts in accordance with organizational standards. CC ID 16421	Testing	Preventive
Identify risk management measures when testing in scope systems. CC ID 14960	Process or Activity	Detective
Scan organizational networks for rogue devices. CC ID 00536	Testing	Detective
Include mechanisms for emergency stops in the testing program. CC ID 14398	Establish/Maintain Documentation	Preventive
Scan the network for wireless access points. CC ID 00370	Testing	Detective
Document the business need justification for authorized wireless access points. CC ID 12044	Establish/Maintain Documentation	Preventive
Scan wireless networks for rogue devices. CC ID 11623	Technical Security	Detective
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Testing	Detective
Implement incident response procedures when rogue devices are discovered. CC ID 11880	Technical Security	Corrective
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428	Monitor and Evaluate Occurrences	Corrective
Deny network access to rogue devices until network access approval has been received. CC ID 11852	Configuration	Preventive
Isolate rogue devices after a rogue device has been detected. CC ID 07061	Configuration	Corrective
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Establish/Maintain Documentation	Preventive
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Communicate	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Communicate	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Communicate	Preventive
Create technical documentation assessment certificates in an official language. CC ID 15110	Establish/Maintain Documentation	Preventive
Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228	Process or Activity	Preventive
Define the validity period for technical documentation assessment certificates. CC ID 17227	Process or Activity	Preventive
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Testing	Preventive
Perform conformity assessments, as necessary. CC ID 15095	Testing	Detective
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Technical Security	Detective
Define the test frequency for each testing program. CC ID 13176	Establish/Maintain Documentation	Preventive
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a penetration test program. CC ID 01105	Behavior	Preventive
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Communicate	Preventive
Align the penetration test program with industry standards. CC ID 12469	Establish/Maintain Documentation	Preventive
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429	Establish Roles	Preventive
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Testing	Preventive
Retain penetration test results according to internal policy. CC ID 10049	Records Management	Preventive
Retain penetration test remediation action records according to internal policy. CC ID 11629	Records Management	Preventive
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Testing	Detective
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Testing	Corrective
Perform penetration tests, as necessary. CC ID 00655	Testing	Detective
Perform internal penetration tests, as necessary. CC ID 12471	Technical Security	Detective
Perform external penetration tests, as necessary. CC ID 12470	Technical Security	Detective
Include coverage of all in scope systems during penetration testing. CC ID 11957	Testing	Detective
Test the system for broken access controls. CC ID 01319	Testing	Detective
Test the system for broken authentication and session management. CC ID 01320	Testing	Detective
Test the system for insecure communications. CC ID 00535	Testing	Detective
Test the system for cross-site scripting attacks. CC ID 01321	Testing	Detective
Test the system for buffer overflows. CC ID 01322	Testing	Detective
Test the system for injection flaws. CC ID 01323	Testing	Detective
Ensure protocols are free from injection flaws. CC ID 16401	Process or Activity	Preventive
Test the system for Denial of Service. CC ID 01326	Testing	Detective
Test the system for insecure configuration management. CC ID 01327	Testing	Detective
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Testing	Detective
Test the system for cross-site request forgery. CC ID 06296	Testing	Detective
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Technical Security	Detective
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Technical Security	Detective
Verify segmentation controls are operational and effective. CC ID 12545	Audits and Risk Management	Detective
Repeat penetration testing, as necessary. CC ID 06860	Testing	Detective
Test the system for covert channels. CC ID 10652	Testing	Detective
Prevent adversaries from disabling or compromising security controls. CC ID 17057	Technical Security	Preventive
Estimate the maximum bandwidth of any covert channels. CC ID 10653	Technical Security	Detective
Reduce the maximum bandwidth of covert channels. CC ID 10655	Technical Security	Corrective
Test systems to determine which covert channels might be exploited. CC ID 10654	Testing	Detective
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Establish/Maintain Documentation	Preventive
Include facilities in the business line testing strategy. CC ID 13253	Establish/Maintain Documentation	Preventive
Include electrical systems in the business line testing strategy. CC ID 13251	Establish/Maintain Documentation	Preventive
Include mechanical systems in the business line testing strategy. CC ID 13250	Establish/Maintain Documentation	Preventive
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Establish/Maintain Documentation	Preventive
Include emergency power supplies in the business line testing strategy. CC ID 13247	Establish/Maintain Documentation	Preventive
Include environmental controls in the business line testing strategy. CC ID 13246	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Establish/Maintain Documentation	Preventive
Perform vulnerability scans, as necessary. CC ID 11637	Technical Security	Detective
Conduct scanning activities in a test environment. CC ID 17036	Testing	Preventive
Repeat vulnerability scanning, as necessary. CC ID 11646	Testing	Detective
Identify and document security vulnerabilities. CC ID 11857	Technical Security	Detective
Rank discovered vulnerabilities. CC ID 11940	Investigate	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Technical Security	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Technical Security	Detective
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Establish/Maintain Documentation	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Communicate	Preventive
Maintain vulnerability scan reports as organizational records. CC ID 12092	Records Management	Preventive
Correlate vulnerability scan reports from the various systems. CC ID 10636	Technical Security	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Testing	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Technical Security	Detective
Implement scanning tools, as necessary. CC ID 14282	Technical Security	Detective
Update the vulnerability scanners' vulnerability list. CC ID 10634	Configuration	Corrective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Technical Security	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Technical Security	Detective
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Business Processes	Preventive
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Testing	Preventive
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Technical Security	Detective
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Behavior	Corrective
Perform vulnerability assessments, as necessary. CC ID 11828	Technical Security	Corrective
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Technical Security	Detective
Test the system for unvalidated input. CC ID 01318	Testing	Detective
Test the system for proper error handling. CC ID 01324	Testing	Detective
Test the system for insecure data storage. CC ID 01325	Testing	Detective
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Testing	Detective
Approve the vulnerability management program. CC ID 15722	Process or Activity	Preventive
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Establish Roles	Preventive
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Technical Security	Preventive
Test the system for insecure cryptographic storage. CC ID 11635	Technical Security	Detective
Perform self-tests on cryptographic modules within the system. CC ID 06537	Testing	Detective
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Testing	Detective
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Testing	Detective
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Configuration	Detective
Document and maintain test results. CC ID 17028	Testing	Preventive
Include the pass or fail test status in the test results. CC ID 17106	Establish/Maintain Documentation	Preventive
Include time information in the test results. CC ID 17105	Establish/Maintain Documentation	Preventive
Include a description of the system tested in the test results. CC ID 17104	Establish/Maintain Documentation	Preventive
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103	Communicate	Preventive
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639	Technical Security	Corrective
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Configuration	Corrective
Recommend mitigation techniques based on penetration test results. CC ID 04881	Establish/Maintain Documentation	Corrective
Correct or mitigate vulnerabilities. CC ID 12497	Technical Security	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Technical Security	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656 [Develop and validate approaches for measuring the success of content provenance management efforts with third parties (e.g., incidents detected and response times). GV-6.1-003 Develop and validate approaches for measuring the success of content provenance management efforts with third parties (e.g., incidents detected and response times). GV-6.1-003]	Establish/Maintain Documentation	Preventive
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Actionable Reports or Measurements	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Actionable Reports or Measurements	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Actionable Reports or Measurements	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Business Processes	Preventive
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Actionable Reports or Measurements	Detective
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 [Establish policies for measuring the effectiveness of employed content provenance methodologies (e.g., cryptography, watermarking, steganography, etc.) GV4.3--001]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Business Processes	Preventive
Report on the percentage of unique active user identifiers. CC ID 02074	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Actionable Reports or Measurements	Detective
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Business Processes	Preventive
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Actionable Reports or Measurements	Detective
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Actionable Reports or Measurements	Detective
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Actionable Reports or Measurements	Detective
Report on the percentage of users with access to shared accounts. CC ID 04573	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Actionable Reports or Measurements	Preventive
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Actionable Reports or Measurements	Detective
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Business Processes	Preventive
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Actionable Reports or Measurements	Detective
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Actionable Reports or Measurements	Detective
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Actionable Reports or Measurements	Detective
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Actionable Reports or Measurements	Detective
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Actionable Reports or Measurements	Detective
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Log Management	Preventive
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Log Management	Detective
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Log Management	Detective
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Log Management	Detective
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Business Processes	Preventive
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Actionable Reports or Measurements	Detective
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Actionable Reports or Measurements	Detective
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Actionable Reports or Measurements	Detective
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Business Processes	Preventive
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Actionable Reports or Measurements	Detective
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Business Processes	Preventive
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Actionable Reports or Measurements	Detective
Report on the percentage of systems with all approved patches installed. CC ID 02113	Actionable Reports or Measurements	Detective
Report on the mean time from patch availability to patch installation. CC ID 02114	Actionable Reports or Measurements	Detective
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Business Processes	Preventive
Establish, implement, and maintain a network activity baseline. CC ID 13188	Technical Security	Detective
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Actionable Reports or Measurements	Detective
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Business Processes	Preventive
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Actionable Reports or Measurements	Detective
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Actionable Reports or Measurements	Detective
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Business Processes	Preventive
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Actionable Reports or Measurements	Detective
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Actionable Reports or Measurements	Detective
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Business Processes	Preventive
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Actionable Reports or Measurements	Detective
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Actionable Reports or Measurements	Detective
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Actionable Reports or Measurements	Detective
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Actionable Reports or Measurements	Detective
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Actionable Reports or Measurements	Detective
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Actionable Reports or Measurements	Detective
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Actionable Reports or Measurements	Detective
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Communicate	Preventive
Report known security issues to interested personnel and affected parties on a regular basis. CC ID 12329 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Monitor and Evaluate Occurrences	Preventive
Protect against misusing automated audit tools. CC ID 04547	Technical Security	Preventive
Evaluate the measurement process used for metrics. CC ID 06920 [Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and n style="background-color:#B7D8ED;" class="term_primary-verb">documented. Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and documented. MEASURE 2.13:]	Testing	Detective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [Contingency processes are in place to handle failures or incidents in third-party data or nd-color:#F0BBBC;" class="term_primary-noun">AI systems deemed to be high-risk. Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk. GOVERN 6.2:]	Establish/Maintain Documentation	Preventive
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Systems Continuity	Corrective
Report changes in the continuity plan to senior management. CC ID 12757	Communicate	Corrective
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Communicate	Preventive
Maintain normal security levels when an emergency occurs. CC ID 06377	Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Systems Continuity	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Behavior	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Establish/Maintain Documentation	Preventive
Restore systems and environments to be operational. CC ID 13476	Systems Continuity	Corrective
Document and use the lessons learned to update the continuity plan. CC ID 10037	Establish/Maintain Documentation	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Technical Security	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Establish/Maintain Documentation	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Monitor and Evaluate Occurrences	Detective
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Record business continuity management system performance for posterity. CC ID 12411	Monitor and Evaluate Occurrences	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Establish/Maintain Documentation	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Communicate	Preventive
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Establish/Maintain Documentation	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Configuration	Preventive
Install a generator sized to support the facility. CC ID 06709	Configuration	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Acquisition/Sale of Assets or Services	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Establish/Maintain Documentation	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Testing	Detective
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore system interconnections in the recovery plan. CC ID 17100	Establish/Maintain Documentation	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include voltage and frequency requirements in the recovery plan. CC ID 17098	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Include restoration procedures in the continuity plan. CC ID 01169	Establish Roles	Preventive
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Establish/Maintain Documentation	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Establish/Maintain Documentation	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Systems Continuity	Preventive
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045	Communicate	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Systems Continuity	Corrective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Establish policies and procedures that address GAI data redundancy, including model weights and other system artifacts. GV-6.2-005]	Systems Continuity	Preventive
Determine which data elements to back up. CC ID 13483	Data and Information Management	Detective
Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384	Systems Continuity	Preventive
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271	Communicate	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Physical and Environmental Protection	Preventive
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390	Testing	Detective
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392	Configuration	Preventive
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393	Establish/Maintain Documentation	Preventive
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573	Systems Continuity	Detective
Store backup media at an off-site electronic media storage facility. CC ID 01332	Data and Information Management	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264	Data and Information Management	Preventive
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Systems Continuity	Preventive
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Data and Information Management	Preventive
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765	Systems Continuity	Preventive
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Data and Information Management	Preventive

Operational management

519

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489 [Organizational practices are in place to enable AI testing, identification of incidents, and n style="background-color:#F0BBBC;" class="term_primary-noun">information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3: Verify information sharing and feedback mechanisms among individuals and organizations regarding any negative impact from GAI systems. GV-4.3-003]	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, style="background-color:#F0BBBC;" class="term_primary-noun">appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include data localization requirements in the information security policy. CC ID 16932	Establish/Maintain Documentation	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967 [{internal use} When identifying intended purposes, consider factors such as internal vs. external use, narrow vs. broad application scope, fine-tuning, and varieties of data sources (e.g., grounding, retrieval-augmented generation). MP-1.1-001]	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Provide support for information sharing activities. CC ID 15644 [{be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2:]	Process or Activity	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Define acceptable use policies for GAI interfaces, modalities, and human-AI configurations (i.e., for chatbots and decision-making tasks), including criteria for the kinds of queries GAI applications should refuse to respond to. GV-3.2-003 {be transparent} {be illegal} Establish transparent acceptable use policies for GAI that address illegal use or applications of GAI. GV-1.4-002 Update GAI acceptable use policies to address proprietary and open-source GAI technologies and data, and contractors, consultants, and other third-party personnel. GV-6.1-010]	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include usage restrictions in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003 Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party's intellectual property or other rights. MAP 4.1: Implement policies and practices defining how third-party intellectual property and training data will be used, stored, and protected. MP-4.1-006]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004 [AI system security and resilience – as identified in the MAP function – are evaluatedan> and documented. AI system security and resilience – as identified in the MAP function – are evaluated and documented. MEASURE 2.7:]	Business Processes	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Fairness and bias – as identified in the MAP function – are evaluated and results are documented. Fairness and bias – as identified in the MAP function – are evaluated and results are documented. MEASURE 2.11: Fairness and bias – as identified in the MAP function – are evaluated and results are ckground-color:#CBD0E5;" class="term_secondary-verb">term_primary-verb">documented. Fairness and bias – as identified in the MAP function – are evaluated and results are documented. MEASURE 2.11:]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI system inventory requirements to account for GAI risks. GV-1.6-001]	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI system inventory requirements to account for GAI risks. GV-1.6-001 In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Systems Design, Build, and Implementation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Data and Information Management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Establish/Maintain Documentation	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Establish/Maintain Documentation	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Establish/Maintain Documentation	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Establish/Maintain Documentation	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Establish/Maintain Documentation	Preventive
Conduct environmental surveys. CC ID 00690	Physical and Environmental Protection	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Establish/Maintain Documentation	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Establish/Maintain Documentation	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Establish/Maintain Documentation	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Process or Activity	Preventive
Include software in the Information Technology inventory. CC ID 00692	Establish/Maintain Documentation	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Establish/Maintain Documentation	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Establish/Maintain Documentation	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Establish/Maintain Documentation	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Monitor and Evaluate Occurrences	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Monitor and Evaluate Occurrences	Corrective
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 [Mechanisms are in place to inventory AI systems and are resourced according to organizational risk class="term_primary-noun">priorities. Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities. GOVERN 1.6:]	Establish/Maintain Documentation	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Technical Security	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Human Resources Management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Technical Security	Detective
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Data and Information Management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196	Data and Information Management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194	Data and Information Management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Establish/Maintain Documentation	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Data and Information Management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Establish/Maintain Documentation	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Establish/Maintain Documentation	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Establish/Maintain Documentation	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Establish/Maintain Documentation	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Establish/Maintain Documentation	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Establish/Maintain Documentation	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Establish/Maintain Documentation	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Establish/Maintain Documentation	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. MANAGE 4.3:]	Business Processes	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Establish/Maintain Documentation	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Communicate	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Human Resources Management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Establish/Maintain Documentation	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856	Establish/Maintain Documentation	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Establish/Maintain Documentation	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Establish/Maintain Documentation	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Establish/Maintain Documentation	Preventive
Include a definition of affected transactions in the incident criteria. CC ID 17180	Establish/Maintain Documentation	Preventive
Include a definition of affected parties in the incident criteria. CC ID 17179	Establish/Maintain Documentation	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Business Processes	Detective
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Organizational practices are in place to enable AI testing, identification of e="background-color:#F0BBBC;" class="term_primary-noun">incidents, and information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3:]	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208	Technical Security	Preventive
Define and document the criteria to be used in categorizing incidents. CC ID 10033	Establish/Maintain Documentation	Preventive
Determine the cost of the incident when assessing security incidents. CC ID 17188	Process or Activity	Detective
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182	Process or Activity	Detective
Determine the duration of the incident when assessing security incidents. CC ID 17181	Process or Activity	Detective
Determine the incident severity level when assessing the security incidents. CC ID 01650	Monitor and Evaluate Occurrences	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Monitor and Evaluate Occurrences	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Monitor and Evaluate Occurrences	Detective
Identify root causes of incidents that force system changes. CC ID 13482	Investigate	Detective
Respond to and triage when an incident is detected. CC ID 06942	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Contain the incident to prevent further loss. CC ID 01751	Process or Activity	Corrective
Wipe data and memory after an incident has been detected. CC ID 16850	Technical Security	Corrective
Refrain from accessing compromised systems. CC ID 01752	Technical Security	Corrective
Isolate compromised systems from the network. CC ID 01753	Technical Security	Corrective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Log Management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Technical Security	Corrective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Investigate	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Establish/Maintain Documentation	Preventive
Include the investigation methodology in the forensic investigation report. CC ID 17071	Establish/Maintain Documentation	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Establish/Maintain Documentation	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Establish/Maintain Documentation	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Establish/Maintain Documentation	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Establish/Maintain Documentation	Detective
Assess all incidents to determine what information was accessed. CC ID 01226	Testing	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Monitor and Evaluate Occurrences	Corrective
Analyze the incident response process following an incident response. CC ID 13179	Investigate	Detective
Share incident information with interested personnel and affected parties. CC ID 01212 [Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. MANAGE 4.3:]	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Redact restricted data before sharing incident information. CC ID 16994	Data and Information Management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Remediate security violations according to organizational standards. CC ID 12338	Business Processes	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Behavior	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Behavior	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Establish/Maintain Documentation	Preventive
Avoid false positive incident response notifications. CC ID 04732	Behavior	Detective
Establish, implement, and maintain incident response notifications. CC ID 12975	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Include information required by law in incident response notifications. CC ID 00802	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Behavior	Corrective
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Behavior	Corrective
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Behavior	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Behavior	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Behavior	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Establish/Maintain Documentation	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Behavior	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Behavior	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Behavior	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Behavior	Corrective
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective
Establish, implement, and maintain a containment strategy. CC ID 13480	Establish/Maintain Documentation	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Establish/Maintain Documentation	Preventive
Include response times in the containment strategy. CC ID 13485	Establish/Maintain Documentation	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Establish/Maintain Documentation	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Technical Security	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Business Processes	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Establish/Maintain Documentation	Preventive
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Data and Information Management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Data and Information Management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Human Resources Management	Corrective
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Establish/Maintain Documentation	Preventive
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Monitor and Evaluate Occurrences	Detective
Re-image compromised systems with secure builds. CC ID 12086	Technical Security	Corrective
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Establish/Maintain Documentation	Preventive
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Monitor and Evaluate Occurrences	Preventive
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Investigate	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Establish/Maintain Documentation	Preventive
Test incident monitoring procedures. CC ID 13194	Testing	Detective
Include incident response procedures in the Incident Management program. CC ID 01218	Establish/Maintain Documentation	Preventive
Integrate configuration management procedures into the incident management program. CC ID 13647	Technical Security	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Establish/Maintain Documentation	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Process or Activity	Detective
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Investigate	Detective
Identify the affected parties during incident investigations. CC ID 16781	Investigate	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Investigate	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Investigate	Detective
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Establish/Maintain Documentation	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Data and Information Management	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514	Records Management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Establish/Maintain Documentation	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Log Management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Log Management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Establish/Maintain Documentation	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Log Management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Log Management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Establish/Maintain Documentation	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Establish/Maintain Documentation	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Establish organizational roles, policies, and procedures for communicating GAI incidents and performance to AI Actors and downstream stakeholders (including those potentially impacted), via community or official resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor). GV-2.1-001]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579 [Establish procedures to engage teams for GAI system incident response with diverse composition and responsibilities based on the particular incident type. GV-2.1-002 Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Establish/Maintain Documentation	Preventive
Create an incident response report. CC ID 12700	Establish/Maintain Documentation	Preventive
Include how the incident was discovered in the incident response report. CC ID 16987	Establish/Maintain Documentation	Preventive
Include the categories of data that were compromised in the incident response report. CC ID 16985	Establish/Maintain Documentation	Preventive
Include disciplinary actions taken in the incident response report. CC ID 16810	Establish/Maintain Documentation	Preventive
Include the persons responsible for the incident in the incident response report. CC ID 16808	Establish/Maintain Documentation	Preventive
Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789	Establish/Maintain Documentation	Preventive
Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728	Establish/Maintain Documentation	Preventive
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727	Establish/Maintain Documentation	Preventive
Include investments associated with the incident in the incident response report. CC ID 12726	Establish/Maintain Documentation	Preventive
Include costs associated with the incident in the incident response report. CC ID 12725	Establish/Maintain Documentation	Preventive
Include losses due to the incident in the incident response report. CC ID 12724	Establish/Maintain Documentation	Preventive
Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735	Establish/Maintain Documentation	Preventive
Include foregone revenue from the incident in the incident response report. CC ID 12723	Establish/Maintain Documentation	Preventive
Include the magnitude of the incident in the incident response report. CC ID 12722	Establish/Maintain Documentation	Preventive
Include implications of the incident in the incident response report. CC ID 12721	Establish/Maintain Documentation	Preventive
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720	Establish/Maintain Documentation	Preventive
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719	Establish/Maintain Documentation	Preventive
Include information on all affected assets in the incident response report. CC ID 12718	Establish/Maintain Documentation	Preventive
Include the scope of the incident in the incident response report. CC ID 12717	Establish/Maintain Documentation	Preventive
Include the duration of the incident in the incident response report. CC ID 12716	Establish/Maintain Documentation	Preventive
Include the extent of the incident in the incident response report. CC ID 12715	Establish/Maintain Documentation	Preventive
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714	Establish/Maintain Documentation	Preventive
Include the reasons the incident occurred in the incident response report. CC ID 12711	Establish/Maintain Documentation	Preventive
Include the frequency of similar incidents occurring in the incident response report. CC ID 12712	Establish/Maintain Documentation	Preventive
Include lessons learned from the incident in the incident response report. CC ID 12713	Establish/Maintain Documentation	Preventive
Include where the incident occurred in the incident response report. CC ID 12710	Establish/Maintain Documentation	Preventive
Include when the incident occurred in the incident response report. CC ID 12709	Establish/Maintain Documentation	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708	Establish/Maintain Documentation	Preventive
Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704	Establish/Maintain Documentation	Preventive
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703	Establish/Maintain Documentation	Preventive
Include an executive summary of the incident in the incident response report. CC ID 12702	Establish/Maintain Documentation	Preventive
Include a root cause analysis of the incident in the incident response report. CC ID 12701	Establish/Maintain Documentation	Preventive
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705	Communicate	Preventive
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182	Acquisition/Sale of Assets or Services	Preventive
Define target resolution times for incident response in the Incident Response program. CC ID 13072	Establish/Maintain Documentation	Preventive
Analyze and respond to security alerts. CC ID 12504	Business Processes	Detective
Mitigate reported incidents. CC ID 12973	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain an incident response plan. CC ID 12056	Establish/Maintain Documentation	Preventive
Include addressing external communications in the incident response plan. CC ID 13351	Establish/Maintain Documentation	Preventive
Include addressing internal communications in the incident response plan. CC ID 13350	Establish/Maintain Documentation	Preventive
Include change control procedures in the incident response plan. CC ID 15479	Establish/Maintain Documentation	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349	Establish/Maintain Documentation	Preventive
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Establish/Maintain Documentation	Preventive
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Establish/Maintain Documentation	Preventive
Include the management support needed for incident response in the incident response plan. CC ID 14300	Establish/Maintain Documentation	Preventive
Include root cause analysis in the incident response plan. CC ID 16423	Establish/Maintain Documentation	Preventive
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Establish/Maintain Documentation	Preventive
Include the resources needed for incident response in the incident response plan. CC ID 14292	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a cyber incident response plan. CC ID 13286	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838	Communicate	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Open a priority incident request after a security breach is detected. CC ID 04838	Testing	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Testing	Corrective
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Communicate	Corrective
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Establish Roles	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Establish Roles	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Establish Roles	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Establish Roles	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Establish Roles	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Establish Roles	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Establish Roles	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Establish Roles	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Establish Roles	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Human Resources Management	Preventive
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Investigate	Detective
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Establish/Maintain Documentation	Preventive
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Communicate	Preventive
Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385	Establish/Maintain Documentation	Preventive
Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789	Establish/Maintain Documentation	Preventive
Include identifying remediation actions in the incident response plan. CC ID 13354	Establish/Maintain Documentation	Preventive
Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776	Establish/Maintain Documentation	Preventive
Include log management procedures in the incident response program. CC ID 17081	Establish/Maintain Documentation	Preventive
Include coverage of all system components in the Incident Response program. CC ID 11955	Establish/Maintain Documentation	Preventive
Prepare for incident response notifications. CC ID 00584	Establish/Maintain Documentation	Preventive
Include incident response team services in the Incident Response program. CC ID 11766	Establish/Maintain Documentation	Preventive
Include the incident response training program in the Incident Response program. CC ID 06750	Establish/Maintain Documentation	Preventive
Incorporate simulated events into the incident response training program. CC ID 06751	Behavior	Preventive
Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753	Behavior	Preventive
Conduct incident response training. CC ID 11889	Training	Preventive
Establish, implement, and maintain an incident response policy. CC ID 14024 [Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities. GV-1.3-003]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the incident response policy. CC ID 14108	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the incident response policy. CC ID 14107	Establish/Maintain Documentation	Preventive
Include management commitment in the incident response policy. CC ID 14106	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the incident response policy. CC ID 14105	Establish/Maintain Documentation	Preventive
Include the scope in the incident response policy. CC ID 14104	Establish/Maintain Documentation	Preventive
Include the purpose in the incident response policy. CC ID 14101	Establish/Maintain Documentation	Preventive
Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099	Communicate	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective
Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213	Behavior	Preventive
Include business continuity procedures in the Incident Response program. CC ID 06433	Establish/Maintain Documentation	Preventive
Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432	Establish/Maintain Documentation	Preventive
Include consumer protection procedures in the Incident Response program. CC ID 12755	Systems Continuity	Preventive
Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756	Business Processes	Preventive
Establish trust between the incident response team and the end user community during an incident. CC ID 01217	Testing	Detective
Include business recovery procedures in the Incident Response program. CC ID 11774	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652	Establish/Maintain Documentation	Preventive
Retain collected evidence for potential future legal actions. CC ID 01235	Records Management	Preventive
Protect devices containing digital forensic evidence during transport. CC ID 08687	Investigate	Detective
Protect devices containing digital forensic evidence in sealed containers. CC ID 08685	Investigate	Detective
Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686	Establish/Maintain Documentation	Detective
Include time information in the chain of custody. CC ID 17068	Log Management	Preventive
Include actions performed on evidence in the chain of custody. CC ID 17067	Log Management	Preventive
Include individuals who had custody of evidence in the chain of custody. CC ID 17066	Log Management	Preventive
Define the business scenarios that require digital forensic evidence. CC ID 08653	Establish/Maintain Documentation	Preventive
Define the circumstances for collecting digital forensic evidence. CC ID 08657	Establish/Maintain Documentation	Preventive
Conduct forensic investigations in the event of a security compromise. CC ID 11951	Investigate	Corrective
Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343	Communicate	Detective
Identify potential sources of digital forensic evidence. CC ID 08651	Investigate	Preventive
Document the legal requirements for evidence collection. CC ID 08654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656	Records Management	Preventive
Prepare digital forensic equipment. CC ID 08688	Investigate	Detective
Use digital forensic equipment suitable to the circumstances. CC ID 08690	Investigate	Detective
Provide relevant user manuals for digital forensic equipment during use. CC ID 08691	Investigate	Detective
Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693	Establish/Maintain Documentation	Detective
Test the operation of the digital forensic equipment prior to use. CC ID 08694	Testing	Detective
Maintain digital forensic equipment for proper performance. CC ID 08689	Investigate	Detective
Collect evidence from the incident scene. CC ID 02236	Business Processes	Corrective
Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679	Establish/Maintain Documentation	Detective
Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676	Establish/Maintain Documentation	Detective
Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680	Establish/Maintain Documentation	Detective
Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695	Establish/Maintain Documentation	Detective
Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696	Establish/Maintain Documentation	Detective
Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671	Investigate	Detective
Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672	Investigate	Detective
Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675	Investigate	Detective
Secure devices containing digital forensic evidence. CC ID 08681	Investigate	Detective
Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692	Investigate	Detective
Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684	Investigate	Detective
Create a system image of the device before collecting digital forensic evidence. CC ID 08673	Investigate	Detective
Shut down stand alone devices containing digital forensic evidence. CC ID 08682	Investigate	Detective
Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697	Investigate	Detective
Place evidence tape over devices containing digital forensic evidence. CC ID 08683	Investigate	Detective
Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215	Establish/Maintain Documentation	Preventive
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306	Actionable Reports or Measurements	Preventive
Test the incident response procedures. CC ID 01216	Testing	Detective
Document the results of incident response tests and provide them to senior management. CC ID 14857	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a performance management standard. CC ID 01615 [Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/"no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks. GV-1.3-002 Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/"no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks. GV-1.3-002]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775	Business Processes	Preventive
Use proactive performance management. CC ID 00937	Business Processes	Detective
Utilize resource availability management controls. CC ID 00940	Business Processes	Detective
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679	Establish/Maintain Documentation	Preventive
Follow the maintenance schedule. CC ID 11791	Maintenance	Preventive
Establish, implement, and maintain rate limits, as necessary. CC ID 06883	Business Processes	Preventive
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rate limits for connection attempts. CC ID 16986	Technical Security	Preventive
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a change control program. CC ID 00886	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623 [Document GAI risks associated with system value chain to identify over-reliance on third-party data and to identify fallbacks. GV-6.2-001]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Systems Design, Build, and Implementation	Preventive
Establish and maintain a service catalog. CC ID 13634	Establish/Maintain Documentation	Preventive
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an artificial intelligence system. CC ID 14943 [The specific tasks and methods used to implement the tasks that the AI system will support are y-verb">erb">defined (e.g., classifiers, generative models, recommenders). The specific tasks and methods used to implement the tasks that the AI system will support are defined (e.g., classifiers, generative models, recommenders). MAP 2.1: Measurable activities for continual improvements are integrated into AI system n">updates and include regular engagement with interested parties, including relevant AI actors. Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI Actors. MANAGE 4.2: Devise a plan to halt development or deployment of a GAI system that poses unacceptable negative risk. GV-1.3-007]	Systems Design, Build, and Implementation	Preventive
Provide affected parties with the role of artificial intelligence in decision making. CC ID 17236	Communicate	Preventive
Provide the reasons for adverse decisions made by artificial intelligence systems. CC ID 17253	Process or Activity	Preventive
Authorize artificial intelligence systems for use under defined conditions. CC ID 17210	Process or Activity	Preventive
Refrain from notifying users when images, videos, or audio have been artificially generated or manipulated if use of the artificial intelligence system is authorized by law. CC ID 15051	Communicate	Preventive
Establish, implement, and maintain a post-market monitoring system. CC ID 15050	Monitor and Evaluate Occurrences	Preventive
Include mitigation measures to address biased output during the development of artificial intelligence systems. CC ID 15047 [Establish policies and mechanisms to prevent GAI systems from generating CSAM, NCII or content that violates the law. GV-1.4-001]	Systems Design, Build, and Implementation	Corrective
Limit artificial intelligence systems authorizations to the time period until conformity assessment procedures are complete. CC ID 15043	Business Processes	Preventive
Terminate authorizations for artificial intelligence systems when conformity assessment procedures are complete. CC ID 15042	Business Processes	Preventive
Authorize artificial intelligence systems to be put into service for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15039	Business Processes	Preventive
Discard the outputs of the artificial intelligence system when authorizations are denied. CC ID 17225	Process or Activity	Preventive
Assess the trustworthiness of artificial intelligence systems. CC ID 16319	Business Processes	Detective
Authorize artificial intelligence systems to be placed on the market for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15037	Business Processes	Preventive
Withdraw authorizations that are unjustified. CC ID 15035	Business Processes	Corrective
Ensure the transport conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15031	Business Processes	Detective
Ensure the storage conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15030	Physical and Environmental Protection	Detective
Prohibit artificial intelligence systems from being placed on the market when it is not in compliance with the requirements. CC ID 15029	Acquisition/Sale of Assets or Services	Preventive
Ensure the artificial intelligence system performs at an acceptable level of accuracy, robustness, and cybersecurity. CC ID 15024 [{be reliable} The AI system to be deployed is demonstrated to be valid and reliable. Limitations of the generalizability beyond the conditions under which the technology was developed are documented. MEASURE 2.5: {residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6: Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are b">informed by input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended. Results are documented. Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI Actors to validate whether the system is performing consistently as intended. Results are documented. MEASURE 4.2: Assess the accuracy, quality, reliability, and authenticity of GAI output by comparing it to a set of known ground truth data and by using a variety of evaluation methods (e.g., human oversight and automated evaluation, proven cryptographic techniques, review of content inputs). MP-2.3-001]	Process or Activity	Preventive
Implement an acceptable level of accuracy, robustness, and cybersecurity in the development of artificial intelligence systems. CC ID 15022 [The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices. The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices. GOVERN 1.2:]	Systems Design, Build, and Implementation	Preventive
Take into account the nature of the situation when determining the possibility of using 'real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement. CC ID 15020	Process or Activity	Preventive
Notify users when images, videos, or audio on the artificial intelligence system has been artificially generated or manipulated. CC ID 15019	Communicate	Preventive
Refrain from notifying users of artificial intelligence systems using biometric categorization for law enforcement. CC ID 15017	Communicate	Preventive
Use a remote biometric identification system under defined conditions. CC ID 15016	Process or Activity	Preventive
Notify users when they are using an artificial intelligence system. CC ID 15015	Communicate	Preventive
Receive prior authorization for the use of a remote biometric identification system. CC ID 15014	Business Processes	Preventive
Prohibit artificial intelligence systems that deploys subliminal techniques from being placed on the market. CC ID 15012	Acquisition/Sale of Assets or Services	Preventive
Prohibit artificial intelligence systems that use social scores for unfavorable treatment from being placed on the market. CC ID 15010	Acquisition/Sale of Assets or Services	Preventive
Prohibit artificial intelligence systems that evaluate or classify the trustworthiness of individuals from being placed on the market. CC ID 15008	Acquisition/Sale of Assets or Services	Preventive
Prohibit artificial intelligence systems that exploits vulnerabilities of a specific group of persons from being placed on the market. CC ID 15006	Acquisition/Sale of Assets or Services	Preventive
Refrain from making a decision based on system output unless verified by at least two natural persons. CC ID 15004	Business Processes	Preventive
Establish, implement, and maintain human oversight over artificial intelligence systems. CC ID 15003 [Policies are in place to bolster oversight of GAI systems with independent evaluations or assessments of GAI models or systems where the type and robustness of evaluations are proportional to the identified risks. GV-3.2-001 In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003 Establish policies, procedures, and processes for oversight functions (e.g., senior leadership, legal, compliance, including internal evaluation) across the GAI lifecycle, from problem formulation and supply chains to system decommission. GV-4.1-003 {human interface} {artificial intelligence system} Implement systems to continually monitor and track the outcomes of human-GAI configurations for future refinement and improvements. MP-3.4-005]	Behavior	Preventive
Implement measures to enable personnel assigned to human oversight to intervene or interrupt the operation of the artificial intelligence system. CC ID 15093	Process or Activity	Preventive
Implement measures to enable personnel assigned to human oversight to be aware of the possibility of automatically relying or over-relying on outputs to make decisions. CC ID 15091	Human Resources Management	Preventive
Implement measures to enable personnel assigned to human oversight to interpret output correctly. CC ID 15089	Data and Information Management	Preventive
Implement measures to enable personnel assigned to human oversight to decide to refrain from using the artificial intelligence system or override disregard, or reverse the output. CC ID 15079 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Behavior	Preventive
Enable users to interpret the artificial intelligence system's output and use. CC ID 15002 [The AI model is explained, validated, and documented, and AI system output is interpreted within its #F0BBBC;" class="term_primary-noun">context – as identified in the MAP function – to inform responsible use and governance. The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. MEASURE 2.9:]	Business Processes	Preventive
Develop artificial intelligence systems involving the training of models with data sets that meet the quality criteria. CC ID 14996 [The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. MEASURE 2.9: Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches. GV-1.2-001]	Systems Design, Build, and Implementation	Preventive
Withdraw the technical documentation assessment certificate when the artificial intelligence system is not in compliance with requirements. CC ID 15099	Establish/Maintain Documentation	Preventive
Reassess the designation of artificial intelligence systems. CC ID 17230	Process or Activity	Preventive
Define a high-risk artificial intelligence system. CC ID 14959	Establish/Maintain Documentation	Preventive
Take into account the consequences for the rights and freedoms of persons when using ‘real-time’ remote biometric identification systems for law enforcement. CC ID 14957	Process or Activity	Preventive
Allow the use of 'real-time' remote biometric identification systems for law enforcement under defined conditions. CC ID 14955	Process or Activity	Preventive
Document the use of remote biometric identification systems. CC ID 17215	Business Processes	Preventive
Notify interested personnel and affected parties of the use of remote biometric identification systems. CC ID 17216	Communicate	Preventive
Refrain from using remote biometric identification systems under defined conditions. CC ID 14953	Process or Activity	Preventive
Prohibit the use of artificial intelligence systems under defined conditions. CC ID 14951	Process or Activity	Preventive
Establish, implement, and maintain an environmental management system. CC ID 14945	Business Processes	Preventive
Include the scope in the environmental management system. CC ID 14950	Establish/Maintain Documentation	Preventive
Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are verb">assessed and documented. Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are assessed and documented. MEASURE 2.12: Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are verb">assessed and documented. Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are assessed and documented. MEASURE 2.12:]	Establish/Maintain Documentation	Preventive

Physical and environmental protection

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and Environmental Protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 [Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. GOVERN 1.7: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. MANAGE 2.4:]	Establish/Maintain Documentation	Preventive
Obtain management approval prior to decommissioning assets. CC ID 17269	Business Processes	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027	Process or Activity	Preventive

Privacy protection for information and data

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Limit data leakage. CC ID 00356 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716	Process or Activity	Corrective

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a data retention program. CC ID 00906 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Establish/Maintain Documentation	Detective
Store records and data in accordance with organizational standards. CC ID 16439	Data and Information Management	Preventive
Remove dormant data from systems, as necessary. CC ID 13726	Process or Activity	Preventive
Select the appropriate format for archived data and records. CC ID 06320	Data and Information Management	Preventive
Archive appropriate records, logs, and database tables. CC ID 06321	Records Management	Preventive
Maintain continued integrity for all stored data and stored records. CC ID 00969	Testing	Detective
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060	Data and Information Management	Preventive
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314	Data and Information Management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data accuracy controls. CC ID 00921 [Establish known assumptions and practices for determining data origin and content lineage, for documentation and evaluation purposes. MP-2.1-001]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain document retention procedures. CC ID 11660 [Maintain a document retention policy to keep history for test, evaluation, validation, and verification (TEVV), and digital content transparency methods for GAI. GV-1.5-003]	Establish/Maintain Documentation	Preventive

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Certify the system before releasing it into a production environment. CC ID 06419	Configuration	Preventive
Document the system's accreditation and residual risks. CC ID 06728 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Configuration	Preventive
Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130	Establish/Maintain Documentation	Preventive
Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063	Configuration	Preventive
Test systems to ensure they conform to configuration baselines. CC ID 13062 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for color:#F0BBBC;" class="term_primary-noun">conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Testing	Detective

Systems design, build, and implementation

163

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Allocate time and resources for outreach, feedback, and recourse processes in GAI system development. GV-5.1-001]	Systems Design, Build, and Implementation	Preventive
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386	Establish/Maintain Documentation	Preventive
Perform a feasibility study for product requests. CC ID 06895	Acquisition/Sale of Assets or Services	Preventive
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069	Human Resources Management	Preventive
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045	Establish/Maintain Documentation	Preventive
Include information security throughout the system development life cycle. CC ID 12042	Systems Design, Build, and Implementation	Preventive
Protect confidential information during the system development life cycle program. CC ID 13479	Data and Information Management	Preventive
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469	Communicate	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security controls definition document. CC ID 01080	Establish/Maintain Documentation	Preventive
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Establish/Maintain Documentation	Preventive
Include naming conventions in system design guidelines. CC ID 13656	Establish/Maintain Documentation	Preventive
Implement manual override capability into automated systems. CC ID 14921	Systems Design, Build, and Implementation	Preventive
Define and assign the system development project team roles and responsibilities. CC ID 01061	Establish Roles	Preventive
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Establish Roles	Preventive
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Establish Roles	Preventive
Restrict system architects from being assigned as Administrators. CC ID 01064	Testing	Detective
Restrict the development team from having access to the production environment. CC ID 01066	Testing	Detective
Redesign business activities to support the system implementation. CC ID 01067	Systems Design, Build, and Implementation	Corrective
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Establish/Maintain Documentation	Preventive
Establish and maintain an input requirements definition document. CC ID 01071	Establish/Maintain Documentation	Preventive
Search for metadata during e-discovery. CC ID 01073	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain security design principles. CC ID 14718	Systems Design, Build, and Implementation	Preventive
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems Design, Build, and Implementation	Preventive
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Systems Design, Build, and Implementation	Preventive
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems Design, Build, and Implementation	Preventive
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems Design, Build, and Implementation	Preventive
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems Design, Build, and Implementation	Preventive
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Establish/Maintain Documentation	Preventive
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems Design, Build, and Implementation	Preventive
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems Design, Build, and Implementation	Preventive
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems Design, Build, and Implementation	Preventive
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Systems Design, Build, and Implementation	Preventive
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems Design, Build, and Implementation	Preventive
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems Design, Build, and Implementation	Preventive
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems Design, Build, and Implementation	Preventive
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems Design, Build, and Implementation	Preventive
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems Design, Build, and Implementation	Preventive
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems Design, Build, and Implementation	Preventive
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems Design, Build, and Implementation	Preventive
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems Design, Build, and Implementation	Preventive
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems Design, Build, and Implementation	Preventive
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems Design, Build, and Implementation	Preventive
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems Design, Build, and Implementation	Preventive
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems Design, Build, and Implementation	Preventive
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems Design, Build, and Implementation	Preventive
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems Design, Build, and Implementation	Preventive
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems Design, Build, and Implementation	Preventive
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems Design, Build, and Implementation	Preventive
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems Design, Build, and Implementation	Preventive
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems Design, Build, and Implementation	Preventive
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems Design, Build, and Implementation	Preventive
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems Design, Build, and Implementation	Preventive
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems Design, Build, and Implementation	Preventive
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems Design, Build, and Implementation	Preventive
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system use training plan. CC ID 01089 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Establish/Maintain Documentation	Preventive
Train the affected users during system development life cycle projects. CC ID 01091	Behavior	Preventive
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Establish/Maintain Documentation	Preventive
Include the physical design characteristics in the system design specification. CC ID 06927	Establish/Maintain Documentation	Preventive
Establish and maintain System Development Life Cycle documentation. CC ID 12079 [Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. GOVERN 4.1:]	Systems Design, Build, and Implementation	Preventive
Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759	Establish/Maintain Documentation	Preventive
Define and document organizational structures for the System Development Life Cycle program. CC ID 12549	Establish/Maintain Documentation	Preventive
Include system and network monitoring reporting lines in the System Development Life Cycle documentation. CC ID 12562	Establish/Maintain Documentation	Preventive
Include system maintenance authorities in the System Development Life Cycle documentation. CC ID 12566	Establish/Maintain Documentation	Preventive
Include system development reporting lines in the System Development Life Cycle documentation. CC ID 12559	Establish/Maintain Documentation	Preventive
Include system design reporting lines in the System Development Life Cycle documentation. CC ID 12558	Establish/Maintain Documentation	Preventive
Include system development authorities in the System Development Life Cycle documentation. CC ID 12564	Establish/Maintain Documentation	Preventive
Include system design authorities in the System Development Life Cycle documentation. CC ID 12572	Establish/Maintain Documentation	Preventive
Include system and network monitoring authorities in the System Development Life Cycle documentation. CC ID 12568	Establish/Maintain Documentation	Preventive
Include system operation authorities in the System Development Life Cycle documentation. CC ID 12567	Establish/Maintain Documentation	Preventive
Include system maintenance responsibilities in the System Development Life Cycle documentation. CC ID 12556	Establish/Maintain Documentation	Preventive
Include system implementation authorities in the System Development Life Cycle documentation. CC ID 12565	Establish/Maintain Documentation	Preventive
Include system and network monitoring responsibilities in the System Development Life Cycle documentation. CC ID 12557	Establish/Maintain Documentation	Preventive
Include system operation responsibilities in the System Development Life Cycle documentation. CC ID 12563	Establish/Maintain Documentation	Preventive
Include system maintenance reporting lines in the System Development Life Cycle documentation. CC ID 12555	Establish/Maintain Documentation	Preventive
Include system operation reporting lines in the System Development Life Cycle documentation. CC ID 12561	Establish/Maintain Documentation	Preventive
Include system implementation reporting lines in the System Development Life Cycle documentation. CC ID 12560	Establish/Maintain Documentation	Preventive
Define and document organizational structures for system and network monitoring. CC ID 12554	Establish/Maintain Documentation	Preventive
Define and document organizational structures for systems operations. CC ID 12553	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a full set of system procedures. CC ID 01074	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a physical, electrical, and logical interface specification. CC ID 01075	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a user-machine interaction specification. CC ID 01076	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a processing requirements definition document. CC ID 01077	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an output requirements definition document. CC ID 01078	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a database management standard. CC ID 01079	Establish/Maintain Documentation	Preventive
Compile databases to protect their structural intellectual property. CC ID 07044	Technical Security	Preventive
Establish, implement, and maintain system design requirements. CC ID 06618 [Scientific integrity and TEVV considerations are identified and documented, including those related to experimental design, data collection and selection (e.g., availability, representativeness, suitability), system trustworthiness, and construct validation MAP 2.3:]	Establish/Maintain Documentation	Preventive
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922	Systems Design, Build, and Implementation	Preventive
Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922	Establish/Maintain Documentation	Detective
Document stakeholder requirements and how they influence system design requirements. CC ID 06925	Establish/Maintain Documentation	Preventive
Document legal requirements and how they influence system design requirements. CC ID 11793	Establish/Maintain Documentation	Preventive
Compare system design requirements against system design requests. CC ID 06619	Testing	Detective
Resolve conflicting design and development inputs. CC ID 13703	Process or Activity	Corrective
Design and develop built-in redundancies, as necessary. CC ID 13064	Systems Design, Build, and Implementation	Preventive
Identify and document system design constraints. CC ID 06923	Establish/Maintain Documentation	Preventive
Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution. CC ID 06928 [{be reliable} The AI system to be deployed is demonstrated to be valid and reliable. Limitations of the generalizability beyond the conditions under which the technology was developed are -verb">documented. MEASURE 2.5:]	Establish/Maintain Documentation	Preventive
Design resource-isolation mechanisms into the infrastructure of Software as a Service. CC ID 12348	Systems Design, Build, and Implementation	Preventive
Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347	Systems Design, Build, and Implementation	Preventive
Identify and document system development constraints. CC ID 11698	Establish/Maintain Documentation	Preventive
Identify and document the system boundaries of the system design project. CC ID 06924	Establish/Maintain Documentation	Preventive
Determine if commercial off the shelf products meet the system design requirements. CC ID 06926	Testing	Detective
Review the degree of human intervention and control points in the system design requirements. CC ID 13536	Establish/Maintain Documentation	Detective
Evaluate the criticality and sensitivity of information being accessed when designing systems. CC ID 07076	Systems Design, Build, and Implementation	Preventive
Include performance criteria in the system requirements specification. CC ID 11540	Technical Security	Preventive
Include accommodating increases in capacity in the system requirements specification. CC ID 11562	Technical Security	Preventive
Include product upgrade methodologies in the system requirements specification. CC ID 11563	Technical Security	Preventive
Include the ability of products to verify their own quality in the system requirements specification. CC ID 11564 [{multiple sources} Deploy and document fact-checking techniques to verify the accuracy and veracity of information generated by GAI systems, especially when the information comes from multiple (or unknown) sources. MP-2.3-003]	Technical Security	Preventive
Include anti-counterfeit measures in the system requirements specification. CC ID 11547	Physical and Environmental Protection	Preventive
Include anti-counterfeit measures that resist reverse engineering in the system requirements specification. CC ID 11548	Physical and Environmental Protection	Preventive
Include anti-counterfeit measures that are apparent to anti-counterfeit authentication testing in the system requirements specification. CC ID 11549	Physical and Environmental Protection	Preventive
Include anti-counterfeit measures that are interdependent between material goods and the anti-counterfeit authentication test in the system requirements specification. CC ID 11550	Physical and Environmental Protection	Preventive
Include anti-counterfeit measures that allow product characteristic change detection as the result of an attack in the system requirements specification. CC ID 11551	Physical and Environmental Protection	Preventive
Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552	Physical and Environmental Protection	Preventive
Analyze anti-counterfeit measures for their longevity. CC ID 11553	Physical and Environmental Protection	Preventive
Disallow reuse of anti-counterfeit measures absent authentication. CC ID 11554	Physical and Environmental Protection	Preventive
Include anti-counterfeit measures to be compatible with material goods associated with the product in the system requirements specification. CC ID 11555	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a system design project management framework. CC ID 00990	Establish/Maintain Documentation	Preventive
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043	Testing	Detective
Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects. CC ID 01045 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2: Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Systems Design, Build, and Implementation	Detective
Include the threats and risks associated with the system development project in the project feasibility study. CC ID 11797 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2:]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain project management standards. CC ID 00992	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a project test plan. CC ID 01001 [Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities. GV-1.3-003]	Establish/Maintain Documentation	Preventive
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems Design, Build, and Implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems Design, Build, and Implementation	Preventive
Develop new products based on best practices. CC ID 01095	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system design specification. CC ID 04557	Establish/Maintain Documentation	Preventive
Include threat models in the system design specification. CC ID 06829 [Engage in threat modeling to anticipate potential risks from GAI systems. GV-3.2-005]	Systems Design, Build, and Implementation	Preventive
Perform source code analysis at each milestone or quality gate. CC ID 06832	Systems Design, Build, and Implementation	Corrective
Document the results of the source code analysis. CC ID 14310 [Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by _primary-noun">input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended. Results are documented. Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI Actors to validate whether the system is performing consistently as intended. Results are documented. MEASURE 4.2:]	Process or Activity	Detective
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Testing	Detective
Establish, implement, and maintain system testing procedures. CC ID 11744 [Organizational practices are in place to enable class="term_primary-noun">AI testing, identification of incidents, and information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3: AI system security and resilience – as identified in the MAP function – are evaluatedan> and documented. AI system security and resilience – as identified in the MAP function – are evaluated and documented. MEASURE 2.7:]	Establish/Maintain Documentation	Preventive
Restrict production data from being used in the test environment. CC ID 01103	Testing	Detective
Protect test data in the development environment. CC ID 12014	Technical Security	Preventive
Control the test data used in the development environment. CC ID 12013	Systems Design, Build, and Implementation	Preventive
Select the test data carefully. CC ID 12011	Systems Design, Build, and Implementation	Preventive
Test all software changes before promoting the system to a production environment. CC ID 01106	Testing	Detective
Test security functionality during the development process. CC ID 12015	Testing	Preventive
Include system performance in the scope of system testing. CC ID 12624	Process or Activity	Preventive
Include security controls in the scope of system testing. CC ID 12623	Process or Activity	Preventive
Include business logic in the scope of system testing. CC ID 12622	Process or Activity	Preventive
Review and test custom code to identify potential coding vulnerabilities. CC ID 01316	Testing	Detective
Review and test source code. CC ID 01086	Testing	Detective
Assign the review of custom code changes to individuals other than the code author. CC ID 06291	Establish Roles	Preventive
Evaluate and document all known code anomalies and code deficiencies. CC ID 06611	Establish/Maintain Documentation	Preventive
Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292	Testing	Corrective
Approve all custom code test results before code is released. CC ID 06293	Testing	Detective
Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471	Communicate	Preventive
Establish, implement, and maintain poor quality material removal procedures. CC ID 06214	Establish/Maintain Documentation	Preventive
Perform Quality Management on all newly developed or modified software. CC ID 11798	Testing	Detective
Establish, implement, and maintain a system testing program for all system development projects. CC ID 01101 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or ">assurance criteriaspan> are ="background-color:#B7D8ED;" class="term_primary-verb">measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Establish/Maintain Documentation	Preventive
Establish and maintain technical documentation. CC ID 15005 [Intended purposes, potentially beneficial uses, context specific laws, norms and expectations, and prospective settings in which the AI system will be deployed are understood and documented. Considerations include: the specific set or types of users along with their expectations; potential positive and negative impacts of system uses to individuals, communities, organizations, society, and the planet; assumptions and related limitations about AI system purposes, uses, and risks across the development or product AI lifecycle; and related TEVV and system metrics. MAP 1.1:]	Establish/Maintain Documentation	Preventive
Retain technical documentation on the premises where the artificial intelligence system is located. CC ID 15104	Establish/Maintain Documentation	Preventive
Include the risk mitigation measures in the technical documentation. CC ID 17246	Establish/Maintain Documentation	Preventive
Include the intended outputs of the system in the technical documentation. CC ID 17245	Establish/Maintain Documentation	Preventive
Include the limitations of the system in the technical documentation. CC ID 17242	Establish/Maintain Documentation	Preventive
Include the types of data used to train the artificial intelligence system in the technical documentation. CC ID 17241	Establish/Maintain Documentation	Preventive
Include all required information in the technical documentation. CC ID 15094	Establish/Maintain Documentation	Preventive
Include information that demonstrates compliance with requirements in the technical documentation. CC ID 15088	Establish/Maintain Documentation	Preventive
Disseminate and communicate technical documentation to interested personnel and affected parties. CC ID 17229	Communicate	Preventive

Technical security

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Control access rights to organizational assets. CC ID 00004	Technical Security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [Establish terms of use and terms of service for GAI systems. GV-4.2-001]	Establish/Maintain Documentation	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Establish/Maintain Documentation	Preventive
Identify and control all network access controls. CC ID 00529	Technical Security	Preventive
Establish, implement, and maintain a network configuration standard. CC ID 00530	Establish/Maintain Documentation	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059 [{data flow} Institute test and evaluation for data and content flows within the GAI system, including but not limited to, original data sources, data transformations, and decision-making criteria. MP-2.1-002]	Establish/Maintain Documentation	Preventive
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Process or Activity	Detective
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Establish/Maintain Documentation	Detective
Include information flows to third parties in the data flow diagram. CC ID 13185	Establish/Maintain Documentation	Preventive
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Communicate	Preventive
Manage all external network connections. CC ID 11842 [Observe and analyze how the GAI system interacts with external networks, and identify any potential for negative externalities, particularly where content provenance might be compromised. MP-2.2-002]	Technical Security	Preventive
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116	Technical Security	Preventive
Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050	Technical Security	Preventive
Prohibit systems from connecting directly to external networks. CC ID 08709	Configuration	Preventive
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical Security	Preventive

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Include contingency plans in the third party management plan. CC ID 10030	Establish/Maintain Documentation	Preventive
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [Document GAI risks associated with system value chain to identify over-reliance on third-party data and to identify fallbacks. GV-6.2-001]	Systems Continuity	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Process or Activity	Detective
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [Include clauses in contracts which allow an organization to evaluate third-party GAI processes and standards. GV-6.1-006]	Establish/Maintain Documentation	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Establish/Maintain Documentation	Preventive
Perform risk assessments of third parties, as necessary. CC ID 06454 [Implement a use-cased based supplier risk assessment framework to evaluate and monitor third-party entities' performance and adherence to content provenance standards and technologies to detect anomalies and unauthorized changes; services acquisition and value chain risk management; and legal compliance. GV-6.1-005]	Testing	Detective
Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187	Establish/Maintain Documentation	Preventive
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Business Processes	Preventive
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Establish/Maintain Documentation	Preventive
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Establish/Maintain Documentation	Preventive
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Business Processes	Preventive
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Establish/Maintain Documentation	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [Update and integrate due diligence processes for GAI acquisition and procurement vendor assessments to include intellectual property, data privacy, security, and other risks. For example, update processes to: Address solutions that may rely on embedded GAI technologies; Address ongoing monitoring, assessments, and alerting, dynamic risk assessments, and real-time reporting tools for monitoring third-party GAI risks; Consider policy adjustments across GAI modeling libraries, tools and APIs, fine-tuned models, and embedded tools; Assess GAI vendors, open-source or proprietary GAI tools, or GAI service providers against incident or vulnerability databases. GV-6.1-009]	Business Processes	Preventive
Provide management support for third party due diligence. CC ID 08847	Business Processes	Preventive
Commit to the supply chain due diligence process. CC ID 08849	Business Processes	Preventive
Structure the organization to support supply chain due diligence. CC ID 08850	Business Processes	Preventive
Schedule supply chain audits, as necessary. CC ID 10015	Audits and Risk Management	Preventive
Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851	Business Processes	Preventive
Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853	Business Processes	Preventive
Document and maintain records of supply chain transactions in a transaction file. CC ID 08858	Establish/Maintain Documentation	Preventive
Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859	Business Processes	Preventive
Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016	Business Processes	Preventive
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861	Business Processes	Preventive
Develop and implement supply chain due diligence capability training program. CC ID 08862	Business Processes	Preventive
Determine if additional supply chain due diligence processes are required. CC ID 08863	Business Processes	Preventive
Review transaction files for compliance with the supply chain audit standard. CC ID 08864	Establish/Maintain Documentation	Preventive
Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865	Establish/Maintain Documentation	Preventive
Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870	Business Processes	Preventive
Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871	Business Processes	Preventive
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 [Identify and document how the system relies on upstream data sources, including for content provenance, and if it serves as an upstream dependency for other systems. MP-2.2-001]	Business Processes	Preventive
Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879	Business Processes	Preventive
Collect and disclose payments to purchasers. CC ID 08880	Business Processes	Preventive
Collect and disclose ownership information to purchasers. CC ID 08881	Business Processes	Preventive
Collect and disclose mine locations to purchasers. CC ID 08882	Business Processes	Preventive
Collect and disclose extraction information to purchasers. CC ID 08883	Business Processes	Preventive
Provide products or services per customer requests. CC ID 08893	Business Processes	Preventive
Collect and disclose facility locations to purchasers. CC ID 08884	Business Processes	Preventive
Provide product information to purchasers. CC ID 08894	Data and Information Management	Preventive
Collect and disclose supply chain members to purchasers. CC ID 08885	Business Processes	Preventive
Define the traceability documentation required for chain of custody certification. CC ID 08895	Establish/Maintain Documentation	Preventive
Collect and disclose transportation routes to purchasers. CC ID 08886	Business Processes	Preventive
Implement chain of custody procedures. CC ID 08896	Business Processes	Preventive
Collect and disclose documentation of security forces to purchasers. CC ID 08887	Establish/Maintain Documentation	Preventive
Validate the mine of origin for sourcing of materials against independent data. CC ID 08897	Data and Information Management	Detective
Collect and disclose all local exporters to purchasers. CC ID 08888	Business Processes	Preventive
Trace materials to their origin. CC ID 08898	Business Processes	Detective
Collect and disclose information provided by local exporters to purchasers. CC ID 08889	Business Processes	Preventive
Review documentation that justifies the sourcing and chain of custody. CC ID 08899	Establish/Maintain Documentation	Preventive
Employ digital information sharing systems to assess supply chain due diligence. CC ID 08918	Data and Information Management	Preventive
Receive and follow up on supply chain grievances. CC ID 08901	Business Processes	Preventive
Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919	Business Processes	Preventive
Assist with local logistics in support of supply chain onsite investigations. CC ID 08920	Behavior	Preventive
Create an on-site mine visit report. CC ID 08921	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a community-monitoring network to provide information about the supply chain. CC ID 08922	Business Processes	Preventive
Establish forums for sharing information about the supply chain. CC ID 08923	Business Processes	Preventive
Disseminate and communicate collected supply chain information to purchasers. CC ID 08924	Data and Information Management	Preventive
Share collected supply chain information with the supply chain members. CC ID 08925	Data and Information Management	Preventive
Provide assessment teams with records of materials from red flag locations. CC ID 08926	Business Processes	Preventive
Establish and maintain associations of suppliers to minimize exposure to supply chain risk. CC ID 08927	Business Processes	Preventive
Collect transit route information from suppliers. CC ID 08928	Data and Information Management	Preventive
Establish, implement, and maintain anti-counterfeit measures. CC ID 11522	Technical Security	Preventive
Establish, implement, and maintain electronic marketplace terms of service guidelines. CC ID 11523 [Establish terms of use and terms of service for GAI systems. GV-4.2-001]	Technical Security	Preventive
Include the prohibition of counterfeiting in the electronic marketplace terms of service guidelines. CC ID 11524	Technical Security	Preventive
Enforce the electronic marketplace terms of service guidelines. CC ID 11525	Technical Security	Preventive

Common Controls and
mandates by Type 121 Mandated Controls - bold
112 Implied Controls - italic 1463 Implementation

Number of Controls

1696 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Preventive
Refrain from using gifted mobile devices. CC ID 16460	Human Resources management	Preventive
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182	Operational management	Preventive
Prohibit artificial intelligence systems from being placed on the market when it is not in compliance with the requirements. CC ID 15029	Operational management	Preventive
Prohibit artificial intelligence systems that deploys subliminal techniques from being placed on the market. CC ID 15012	Operational management	Preventive
Prohibit artificial intelligence systems that use social scores for unfavorable treatment from being placed on the market. CC ID 15010	Operational management	Preventive
Prohibit artificial intelligence systems that evaluate or classify the trustworthiness of individuals from being placed on the market. CC ID 15008	Operational management	Preventive
Prohibit artificial intelligence systems that exploits vulnerabilities of a specific group of persons from being placed on the market. CC ID 15006	Operational management	Preventive
Perform a feasibility study for product requests. CC ID 06895	Systems design, build, and implementation	Preventive
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898	Systems design, build, and implementation	Preventive
Plan for acquiring facilities, technology, or services. CC ID 06892	Acquisition or sale of facilities, technology, and services	Preventive
Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129	Acquisition or sale of facilities, technology, and services	Detective
Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054	Acquisition or sale of facilities, technology, and services	Preventive
Process product return requests. CC ID 11598	Acquisition or sale of facilities, technology, and services	Corrective
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition or sale of facilities, technology, and services	Corrective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive

Actionable Reports or Measurements

184

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Monitoring and measurement	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Monitoring and measurement	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Monitoring and measurement	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Monitoring and measurement	Detective
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Monitoring and measurement	Detective
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Monitoring and measurement	Detective
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Monitoring and measurement	Detective
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Monitoring and measurement	Detective
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Monitoring and measurement	Detective
Report on the percentage of unique active user identifiers. CC ID 02074	Monitoring and measurement	Detective
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Monitoring and measurement	Detective
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Monitoring and measurement	Detective
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Monitoring and measurement	Detective
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Monitoring and measurement	Detective
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Monitoring and measurement	Detective
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Monitoring and measurement	Detective
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Monitoring and measurement	Detective
Report on the percentage of users with access to shared accounts. CC ID 04573	Monitoring and measurement	Detective
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Monitoring and measurement	Preventive
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Monitoring and measurement	Detective
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Monitoring and measurement	Detective
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Monitoring and measurement	Detective
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Monitoring and measurement	Detective
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Monitoring and measurement	Detective
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Monitoring and measurement	Detective
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Monitoring and measurement	Detective
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Monitoring and measurement	Detective
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Monitoring and measurement	Detective
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Monitoring and measurement	Detective
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Monitoring and measurement	Detective
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Monitoring and measurement	Detective
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Monitoring and measurement	Detective
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Monitoring and measurement	Detective
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Monitoring and measurement	Detective
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Monitoring and measurement	Detective
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Monitoring and measurement	Detective
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Monitoring and measurement	Detective
Report on the percentage of systems with all approved patches installed. CC ID 02113	Monitoring and measurement	Detective
Report on the mean time from patch availability to patch installation. CC ID 02114	Monitoring and measurement	Detective
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Monitoring and measurement	Detective
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Monitoring and measurement	Detective
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Monitoring and measurement	Detective
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Monitoring and measurement	Detective
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Monitoring and measurement	Detective
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Monitoring and measurement	Detective
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Monitoring and measurement	Detective
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Monitoring and measurement	Detective
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Monitoring and measurement	Detective
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Monitoring and measurement	Detective
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Monitoring and measurement	Detective
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Monitoring and measurement	Detective
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Monitoring and measurement	Detective
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Monitoring and measurement	Detective
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Monitoring and measurement	Detective
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Monitoring and measurement	Detective
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Monitoring and measurement	Detective
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Monitoring and measurement	Detective
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Monitoring and measurement	Detective
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Monitoring and measurement	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Detective
Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952	Audits and risk management	Detective
Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107	Audits and risk management	Detective
Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101	Audits and risk management	Detective
Include revenues in the disclosure report. CC ID 16099	Audits and risk management	Detective
Include the economic value distributed in the disclosure report. CC ID 16086	Audits and risk management	Detective
Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092	Audits and risk management	Detective
Include total monetary value of payments to governments in the disclosure report. CC ID 16091	Audits and risk management	Detective
Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090	Audits and risk management	Detective
Include total monetary value of community investments in the disclosure report. CC ID 16089	Audits and risk management	Detective
Include operating costs in the disclosure report. CC ID 16088	Audits and risk management	Detective
Include economic value retained in the disclosure report. CC ID 16094	Audits and risk management	Detective
Include the direct economic value generated and distributed in the disclosure report. CC ID 16085	Audits and risk management	Detective
Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087	Audits and risk management	Detective
Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106	Audits and risk management	Detective
Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105	Audits and risk management	Detective
Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102	Audits and risk management	Detective
Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100	Audits and risk management	Detective
Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097	Audits and risk management	Detective
Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095	Audits and risk management	Detective
Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050	Audits and risk management	Detective
Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048	Audits and risk management	Detective
Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046	Audits and risk management	Detective
Include revenues from third party sales in the disclosure report. CC ID 16045	Audits and risk management	Detective
Include the profit and loss before tax in the disclosure report. CC ID 16044	Audits and risk management	Detective
Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073	Audits and risk management	Detective
Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072	Audits and risk management	Detective
Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071	Audits and risk management	Detective
Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070	Audits and risk management	Detective
Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069	Audits and risk management	Detective
Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068	Audits and risk management	Detective
Include the total number of incidents of corruption in the disclosure report. CC ID 16066	Audits and risk management	Detective
Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063	Audits and risk management	Detective
Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062	Audits and risk management	Detective
Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038	Audits and risk management	Detective
Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032	Audits and risk management	Detective
Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023	Audits and risk management	Detective
Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022	Audits and risk management	Detective
Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340	Audits and risk management	Detective
Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083	Audits and risk management	Detective
Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081	Audits and risk management	Detective
Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079	Audits and risk management	Detective
Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013	Audits and risk management	Detective
Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009	Audits and risk management	Detective
Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146	Audits and risk management	Detective
Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008	Audits and risk management	Detective
Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007	Audits and risk management	Detective
Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006	Audits and risk management	Detective
Include the total amount of significant air emissions in the disclosure report. CC ID 16005	Audits and risk management	Detective
Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084	Audits and risk management	Detective
Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082	Audits and risk management	Detective
Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080	Audits and risk management	Detective
Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078	Audits and risk management	Detective
Include the total emissions of particulate matter in the disclosure report. CC ID 16077	Audits and risk management	Detective
Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076	Audits and risk management	Detective
Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004	Audits and risk management	Detective
Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999	Audits and risk management	Detective
Include the total number of legal actions against the organization in the disclosure report. CC ID 16003	Audits and risk management	Detective
Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950	Audits and risk management	Detective
Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163	Audits and risk management	Detective
Include the total volume of significant spills in the disclosure report. CC ID 16010	Audits and risk management	Detective
Include the total number of significant spills in the disclosure report. CC ID 15965	Audits and risk management	Detective
Include the performance qualification score of laptops in the disclosure report. CC ID 16176	Audits and risk management	Detective
Include the battery life score of laptops in the disclosure report. CC ID 16175	Audits and risk management	Detective
Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174	Audits and risk management	Detective
Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172	Audits and risk management	Detective
Include the energy efficiency of server processors in the disclosure report. CC ID 16170	Audits and risk management	Detective
Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162	Audits and risk management	Detective
Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159	Audits and risk management	Detective
Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160	Audits and risk management	Detective
Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157	Audits and risk management	Detective
Include the average actual sustained download speed in the disclosure report. CC ID 15568	Audits and risk management	Detective
Include the average advertised download speed in the disclosure report. CC ID 15567	Audits and risk management	Detective
Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949	Audits and risk management	Detective
Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948	Audits and risk management	Detective
Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228	Audits and risk management	Detective
Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217	Audits and risk management	Detective
Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108	Audits and risk management	Detective
Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103	Audits and risk management	Detective
Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002	Audits and risk management	Detective
Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001	Audits and risk management	Detective
Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622	Audits and risk management	Preventive
Include the percentage of offshore employees in the disclosure report. CC ID 15623	Audits and risk management	Preventive
Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931	Audits and risk management	Detective
Include the rate of new employee hires in the disclosure report. CC ID 15928	Audits and risk management	Detective
Include the total number of employees who left the organization in the disclosure report. CC ID 16127	Audits and risk management	Detective
Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214	Audits and risk management	Detective
Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960	Audits and risk management	Detective
Include the total number of employees that took parental leave in the disclosure report. CC ID 15955	Audits and risk management	Detective
Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946	Audits and risk management	Detective
Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958	Audits and risk management	Detective
Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962	Audits and risk management	Detective
Include the percentage of employee engagement in the disclosure report. CC ID 15634	Audits and risk management	Preventive
Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726	Audits and risk management	Preventive
Include the user average interruption duration in the disclosure report. CC ID 15558	Audits and risk management	Detective
Include the system average interruption frequency in the disclosure report. CC ID 15565	Audits and risk management	Detective
Include the total user downtime in the disclosure report. CC ID 15635	Audits and risk management	Preventive
Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649	Audits and risk management	Preventive
Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500	Audits and risk management	Detective
Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792	Audits and risk management	Preventive
Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560	Audits and risk management	Detective
Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951	Audits and risk management	Detective
Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216	Audits and risk management	Detective
Include the power usage effectiveness in the disclosure report. CC ID 15552	Audits and risk management	Detective
Include the energy intensity ratio in the disclosure report. CC ID 15735	Audits and risk management	Preventive
Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549	Audits and risk management	Detective
Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541	Audits and risk management	Detective
Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563	Audits and risk management	Detective
Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574	Audits and risk management	Detective
Include the weight of recovered materials in the disclosure report. CC ID 16203	Audits and risk management	Detective
Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578	Audits and risk management	Detective
Include the rate of work-related injuries in the disclosure report. CC ID 15944	Audits and risk management	Detective
Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943	Audits and risk management	Detective
Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207	Audits and risk management	Detective
Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954	Audits and risk management	Detective
Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942	Audits and risk management	Detective
Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953	Audits and risk management	Detective
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive
Mitigate reported incidents. CC ID 12973	Operational management	Preventive
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306	Operational management	Preventive
Document the results of incident response tests and provide them to senior management. CC ID 14857	Operational management	Preventive
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209	Acquisition or sale of facilities, technology, and services	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Verify segmentation controls are operational and effective. CC ID 12545	Monitoring and measurement	Detective
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and risk management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and risk management	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. MAP 5.1:]	Audits and risk management	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Preventive
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Preventive
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and risk management	Detective
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} Approaches and metrics for measurement of AI risks enumerated during the MAP function are selected for implementation starting with the most significant AI risks. The risks or trustworthiness characteristics that will not – or cannot – be measured are properly documented. MEASURE 1.1: Risks associated with transparency and accountability – as identified in the MAP function – are ary-verb">examined and documented. Risks associated with transparency and accountability – as identified in the MAP function – are examined and documented. MEASURE 2.8:]	Audits and risk management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [{be significant} Approaches and metrics for measurement of AI risks enumerated during the MAP function are selected for implementation starting with the most significant AI risks. The risks or trustworthiness characteristics that will not – or cannot – be measured are properly olor:#B7D8ED;" class="term_primary-verb">documented. MEASURE 1.1: Document risk measurement plans to address identified risks. Plans may include, as applicable: Individual and group cognitive biases (e.g., confirmation bias, funding bias, groupthink) for AI Actors involved in the design, implementation, and use of GAI systems; Known past GAI system incidents and failure modes; In-context use and foreseeable misuse, abuse, and off-label use; Over reliance on quantitative metrics and methodologies without sufficient awareness of their limitations in the context(s) of use; Standard measurement and structured human feedback approaches; Anticipated human-AI configurations. MP-1.1-003]	Audits and risk management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and risk management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and risk management	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. MAP 5.1:]	Audits and risk management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and risk management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and risk management	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and yle="background-color:#B7D8ED;" class="term_primary-verb">documented. Risk response options can include mitigating, transferring, avoiding, or accepting. Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. MANAGE 1.3: Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, background-color:#B7D8ED;" class="term_primary-verb">planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. MANAGE 1.3: AI risks and benefits from third-party resources are regularly monitored, and risk controls are appliedan> and documented. AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. MANAGE 3.1:]	Audits and risk management	Preventive
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Detective
Schedule supply chain audits, as necessary. CC ID 10015	Third Party and supply chain oversight	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a testing program. CC ID 00654 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Monitoring and measurement	Preventive
Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232	Monitoring and measurement	Preventive
Establish, implement, and maintain a penetration test program. CC ID 01105	Monitoring and measurement	Preventive
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Monitoring and measurement	Corrective
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Preventive
Retrain all personnel, as necessary. CC ID 01362	Human Resources management	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Human Resources management	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Human Resources management	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Preventive
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Preventive
Include management commitment in the occupational health and safety policy. CC ID 16264	Human Resources management	Preventive
Protect personnel from work-related intimidation. CC ID 07046	Human Resources management	Preventive
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Corrective
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Corrective
Avoid false positive incident response notifications. CC ID 04732	Operational management	Detective
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Corrective
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Corrective
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Corrective
Incorporate simulated events into the incident response training program. CC ID 06751	Operational management	Preventive
Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753	Operational management	Preventive
Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213	Operational management	Preventive
Establish, implement, and maintain human oversight over artificial intelligence systems. CC ID 15003 [Policies are in place to bolster oversight of GAI systems with independent evaluations or assessments of GAI models or systems where the type and robustness of evaluations are proportional to the identified risks. GV-3.2-001 In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003 Establish policies, procedures, and processes for oversight functions (e.g., senior leadership, legal, compliance, including internal evaluation) across the GAI lifecycle, from problem formulation and supply chains to system decommission. GV-4.1-003 {human interface} {artificial intelligence system} Implement systems to continually monitor and track the outcomes of human-GAI configurations for future refinement and improvements. MP-3.4-005]	Operational management	Preventive
Implement measures to enable personnel assigned to human oversight to decide to refrain from using the artificial intelligence system or override disregard, or reverse the output. CC ID 15079 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Operational management	Preventive
Train the affected users during system development life cycle projects. CC ID 01091	Systems design, build, and implementation	Preventive
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Acquisition or sale of facilities, technology, and services	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Assist with local logistics in support of supply chain onsite investigations. CC ID 08920	Third Party and supply chain oversight	Preventive

Business Processes

106

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Preventive
Implement a fraud detection system. CC ID 13081	Monitoring and measurement	Preventive
Approve the system security plan. CC ID 14241	Monitoring and measurement	Preventive
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Monitoring and measurement	Preventive
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Monitoring and measurement	Preventive
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Monitoring and measurement	Preventive
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Monitoring and measurement	Preventive
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Monitoring and measurement	Preventive
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Monitoring and measurement	Preventive
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Monitoring and measurement	Preventive
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Monitoring and measurement	Preventive
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Monitoring and measurement	Preventive
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Monitoring and measurement	Preventive
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Monitoring and measurement	Preventive
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Monitoring and measurement	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Preventive
Obtain management approval prior to decommissioning assets. CC ID 17269	Physical and environmental protection	Preventive
Define and assign the assessment team's roles and responsibilities. CC ID 08890	Human Resources management	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [Conduct joint educational activities and events in collaboration with third parties to promote best practices for managing GAI risks. GV-6.1-002]	Human Resources management	Preventive
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201	Human Resources management	Preventive
Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274	Human Resources management	Preventive
Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218	Human Resources management	Preventive
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Human Resources management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004 [AI system security and resilience – as identified in the MAP function – are evaluatedan> and documented. AI system security and resilience – as identified in the MAP function – are evaluated and documented. MEASURE 2.7:]	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI system inventory requirements to account for GAI risks. GV-1.6-001]	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. MANAGE 4.3:]	Operational management	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Detective
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Corrective
Analyze and respond to security alerts. CC ID 12504	Operational management	Detective
Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756	Operational management	Preventive
Collect evidence from the incident scene. CC ID 02236	Operational management	Corrective
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775	Operational management	Preventive
Use proactive performance management. CC ID 00937	Operational management	Detective
Utilize resource availability management controls. CC ID 00940	Operational management	Detective
Establish, implement, and maintain rate limits, as necessary. CC ID 06883	Operational management	Preventive
Limit artificial intelligence systems authorizations to the time period until conformity assessment procedures are complete. CC ID 15043	Operational management	Preventive
Terminate authorizations for artificial intelligence systems when conformity assessment procedures are complete. CC ID 15042	Operational management	Preventive
Authorize artificial intelligence systems to be put into service for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15039	Operational management	Preventive
Assess the trustworthiness of artificial intelligence systems. CC ID 16319	Operational management	Detective
Authorize artificial intelligence systems to be placed on the market for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15037	Operational management	Preventive
Withdraw authorizations that are unjustified. CC ID 15035	Operational management	Corrective
Ensure the transport conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15031	Operational management	Detective
Receive prior authorization for the use of a remote biometric identification system. CC ID 15014	Operational management	Preventive
Refrain from making a decision based on system output unless verified by at least two natural persons. CC ID 15004	Operational management	Preventive
Enable users to interpret the artificial intelligence system's output and use. CC ID 15002 [The AI model is explained, validated, and documented, and AI system output is interpreted within its #F0BBBC;" class="term_primary-noun">context – as identified in the MAP function – to inform responsible use and governance. The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. MEASURE 2.9:]	Operational management	Preventive
Document the use of remote biometric identification systems. CC ID 17215	Operational management	Preventive
Establish, implement, and maintain an environmental management system. CC ID 14945	Operational management	Preventive
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Establish policies for user feedback mechanisms for GAI systems which include thorough instructions and any mechanisms for recourse. GV-3.2-004]	Acquisition or sale of facilities, technology, and services	Preventive
Document consumer complaints. CC ID 13903	Acquisition or sale of facilities, technology, and services	Preventive
Include complete information in the take-down request. CC ID 09965	Acquisition or sale of facilities, technology, and services	Detective
Include the complainant's contact information in the take-down request. CC ID 09966	Acquisition or sale of facilities, technology, and services	Detective
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Acquisition or sale of facilities, technology, and services	Detective
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Acquisition or sale of facilities, technology, and services	Detective
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Acquisition or sale of facilities, technology, and services	Detective
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Acquisition or sale of facilities, technology, and services	Preventive
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Acquisition or sale of facilities, technology, and services	Detective
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Acquisition or sale of facilities, technology, and services	Detective
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Acquisition or sale of facilities, technology, and services	Detective
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Acquisition or sale of facilities, technology, and services	Preventive
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Preventive
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Third Party and supply chain oversight	Preventive
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [Update and integrate due diligence processes for GAI acquisition and procurement vendor assessments to include intellectual property, data privacy, security, and other risks. For example, update processes to: Address solutions that may rely on embedded GAI technologies; Address ongoing monitoring, assessments, and alerting, dynamic risk assessments, and real-time reporting tools for monitoring third-party GAI risks; Consider policy adjustments across GAI modeling libraries, tools and APIs, fine-tuned models, and embedded tools; Assess GAI vendors, open-source or proprietary GAI tools, or GAI service providers against incident or vulnerability databases. GV-6.1-009]	Third Party and supply chain oversight	Preventive
Provide management support for third party due diligence. CC ID 08847	Third Party and supply chain oversight	Preventive
Commit to the supply chain due diligence process. CC ID 08849	Third Party and supply chain oversight	Preventive
Structure the organization to support supply chain due diligence. CC ID 08850	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853	Third Party and supply chain oversight	Preventive
Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859	Third Party and supply chain oversight	Preventive
Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016	Third Party and supply chain oversight	Preventive
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861	Third Party and supply chain oversight	Preventive
Develop and implement supply chain due diligence capability training program. CC ID 08862	Third Party and supply chain oversight	Preventive
Determine if additional supply chain due diligence processes are required. CC ID 08863	Third Party and supply chain oversight	Preventive
Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870	Third Party and supply chain oversight	Preventive
Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 [Identify and document how the system relies on upstream data sources, including for content provenance, and if it serves as an upstream dependency for other systems. MP-2.2-001]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879	Third Party and supply chain oversight	Preventive
Collect and disclose payments to purchasers. CC ID 08880	Third Party and supply chain oversight	Preventive
Collect and disclose ownership information to purchasers. CC ID 08881	Third Party and supply chain oversight	Preventive
Collect and disclose mine locations to purchasers. CC ID 08882	Third Party and supply chain oversight	Preventive
Collect and disclose extraction information to purchasers. CC ID 08883	Third Party and supply chain oversight	Preventive
Provide products or services per customer requests. CC ID 08893	Third Party and supply chain oversight	Preventive
Collect and disclose facility locations to purchasers. CC ID 08884	Third Party and supply chain oversight	Preventive
Collect and disclose supply chain members to purchasers. CC ID 08885	Third Party and supply chain oversight	Preventive
Collect and disclose transportation routes to purchasers. CC ID 08886	Third Party and supply chain oversight	Preventive
Implement chain of custody procedures. CC ID 08896	Third Party and supply chain oversight	Preventive
Collect and disclose all local exporters to purchasers. CC ID 08888	Third Party and supply chain oversight	Preventive
Trace materials to their origin. CC ID 08898	Third Party and supply chain oversight	Detective
Collect and disclose information provided by local exporters to purchasers. CC ID 08889	Third Party and supply chain oversight	Preventive
Receive and follow up on supply chain grievances. CC ID 08901	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a community-monitoring network to provide information about the supply chain. CC ID 08922	Third Party and supply chain oversight	Preventive
Establish forums for sharing information about the supply chain. CC ID 08923	Third Party and supply chain oversight	Preventive
Provide assessment teams with records of materials from red flag locations. CC ID 08926	Third Party and supply chain oversight	Preventive
Establish and maintain associations of suppliers to minimize exposure to supply chain risk. CC ID 08927	Third Party and supply chain oversight	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Preventive
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156	Monitoring and measurement	Preventive
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155	Monitoring and measurement	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Preventive
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218	Monitoring and measurement	Preventive
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224	Monitoring and measurement	Preventive
Notify interested personnel and affected parties prior to performing testing. CC ID 17034	Monitoring and measurement	Preventive
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Monitoring and measurement	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Monitoring and measurement	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Monitoring and measurement	Preventive
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Monitoring and measurement	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Monitoring and measurement	Preventive
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103	Monitoring and measurement	Preventive
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Monitoring and measurement	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Preventive
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2:]	Audits and risk management	Preventive
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Technical security	Preventive
Report changes in the continuity plan to senior management. CC ID 12757	Operational and Systems Continuity	Corrective
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Preventive
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Operational and Systems Continuity	Preventive
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045	Operational and Systems Continuity	Preventive
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271	Operational and Systems Continuity	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Preventive
Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270	Human Resources management	Preventive
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 [Create mechanisms to provide protections for whistleblowers who report, based on reasonable belief, when the organization violates relevant laws or poses a specific and empirically well-substantiated negative risk to public safety (or has already caused harm). GV-2.1-005]	Human Resources management	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Preventive
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705	Operational management	Preventive
Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Operational management	Corrective
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Operational management	Preventive
Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099	Operational management	Preventive
Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343	Operational management	Detective
Provide affected parties with the role of artificial intelligence in decision making. CC ID 17236	Operational management	Preventive
Refrain from notifying users when images, videos, or audio have been artificially generated or manipulated if use of the artificial intelligence system is authorized by law. CC ID 15051	Operational management	Preventive
Notify users when images, videos, or audio on the artificial intelligence system has been artificially generated or manipulated. CC ID 15019	Operational management	Preventive
Refrain from notifying users of artificial intelligence systems using biometric categorization for law enforcement. CC ID 15017	Operational management	Preventive
Notify users when they are using an artificial intelligence system. CC ID 15015	Operational management	Preventive
Notify interested personnel and affected parties of the use of remote biometric identification systems. CC ID 17216	Operational management	Preventive
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469	Systems design, build, and implementation	Preventive
Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471	Systems design, build, and implementation	Preventive
Disseminate and communicate technical documentation to interested personnel and affected parties. CC ID 17229	Systems design, build, and implementation	Preventive
Notify the complainant about their rights after receiving a complaint. CC ID 16794	Acquisition or sale of facilities, technology, and services	Preventive
Post contact information in an easily seen location at facilities. CC ID 13812	Acquisition or sale of facilities, technology, and services	Preventive
Provide users a list of the available dispute resolution bodies. CC ID 13814	Acquisition or sale of facilities, technology, and services	Preventive
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795	Acquisition or sale of facilities, technology, and services	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Deny network access to rogue devices until network access approval has been received. CC ID 11852	Monitoring and measurement	Preventive
Isolate rogue devices after a rogue device has been detected. CC ID 07061	Monitoring and measurement	Corrective
Update the vulnerability scanners' vulnerability list. CC ID 10634	Monitoring and measurement	Corrective
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Monitoring and measurement	Detective
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Monitoring and measurement	Corrective
Prohibit systems from connecting directly to external networks. CC ID 08709	Technical security	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Operational and Systems Continuity	Preventive
Install a generator sized to support the facility. CC ID 06709	Operational and Systems Continuity	Preventive
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392	Operational and Systems Continuity	Preventive
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598	Human Resources management	Preventive
Certify the system before releasing it into a production environment. CC ID 06419	System hardening through configuration management	Preventive
Document the system's accreditation and residual risks. CC ID 06728 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	System hardening through configuration management	Preventive
Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063	System hardening through configuration management	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the data source in the data governance and management practices. CC ID 17211	Leadership and high level objectives	Preventive
Delete personal data upon data subject's withdrawal from testing. CC ID 17238	Monitoring and measurement	Preventive
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Preventive
Determine which data elements to back up. CC ID 13483	Operational and Systems Continuity	Detective
Store backup media at an off-site electronic media storage facility. CC ID 01332	Operational and Systems Continuity	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264	Operational and Systems Continuity	Preventive
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Operational and Systems Continuity	Preventive
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Operational and Systems Continuity	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Preventive
Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196	Operational management	Preventive
Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194	Operational management	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. MANAGE 4.3:]	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Preventive
Implement measures to enable personnel assigned to human oversight to interpret output correctly. CC ID 15089	Operational management	Preventive
Store records and data in accordance with organizational standards. CC ID 16439	Records management	Preventive
Select the appropriate format for archived data and records. CC ID 06320	Records management	Preventive
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060	Records management	Preventive
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314	Records management	Preventive
Protect confidential information during the system development life cycle program. CC ID 13479	Systems design, build, and implementation	Preventive
Limit data leakage. CC ID 00356 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Detective
Provide product information to purchasers. CC ID 08894	Third Party and supply chain oversight	Preventive
Validate the mine of origin for sourcing of materials against independent data. CC ID 08897	Third Party and supply chain oversight	Detective
Employ digital information sharing systems to assess supply chain due diligence. CC ID 08918	Third Party and supply chain oversight	Preventive
Disseminate and communicate collected supply chain information to purchasers. CC ID 08924	Third Party and supply chain oversight	Preventive
Share collected supply chain information with the supply chain members. CC ID 08925	Third Party and supply chain oversight	Preventive
Collect transit route information from suppliers. CC ID 08928	Third Party and supply chain oversight	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Preventive
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429	Monitoring and measurement	Preventive
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Monitoring and measurement	Preventive
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{appropriate person} Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates. Domain experts, users, AI Actors external to the team that developed or deployed the AI system, and affected communities are consulted in support of assessments as necessary per organizational risk tolerance. MEASURE 1.3: Ongoing monitoring and periodic review of the risk management process and its outcomes are planned, and organizational roles and responsibilities are clearly defined, including determining the frequency of periodic review. GOVERN 1.5:]	Audits and risk management	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Preventive
Include restoration procedures in the continuity plan. CC ID 01169	Operational and Systems Continuity	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Human Resources management	Preventive
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Human Resources management	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Human Resources management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Human Resources management	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Human Resources management	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Human Resources management	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Human Resources management	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Human Resources management	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Human Resources management	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Human Resources management	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Human Resources management	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Human Resources management	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Human Resources management	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Human Resources management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Operational management	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Operational management	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Operational management	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Operational management	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Operational management	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Operational management	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Operational management	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Operational management	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Operational management	Preventive
Define and assign the system development project team roles and responsibilities. CC ID 01061	Systems design, build, and implementation	Preventive
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Systems design, build, and implementation	Preventive
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Systems design, build, and implementation	Preventive
Assign the review of custom code changes to individuals other than the code author. CC ID 06291	Systems design, build, and implementation	Preventive

Establish/Maintain Documentation

709

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain communication protocols. CC ID 12245	Leadership and high level objectives	Preventive
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [{be external} Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the BC;" class="term_primary-noun">AI system regarding the potential individual and societal un">impactstyle="background-color:#CBD0E5;" class="term_secondary-verb">span> related to un">AI risks. GOVERN 5.1: {be external} Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the BC;" class="term_primary-noun">AI system regarding the potential individual and societal un">impactstyle="background-color:#CBD0E5;" class="term_secondary-verb">span> related to un">AI risks. GOVERN 5.1: Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts ckground-color:#B7D8ED;" class="term_primary-verb">are in -verb">place> and documented. Practices and personnel for supporting regular engagement with relevant AI Actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. MAP 5.2: Feedback processes for end users and impacted communities to report problems and appeal system outcomes are lor:#B7D8ED;" class=verb">"term_primary-verb">established and integrated into AI system evaluation metrics. Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics. MEASURE 3.3: Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evalverb">uation tyle="background-color:#F0BBBC;" class="term_primary-noun">metrics. Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics. MEASURE 3.3: Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating erm_primaan>ry-no<span style="background-color:#CBD0E5;" class="term_secondary-verb">un">input</span> from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1: Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI actors. Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI Actors. MANAGE 4.2: Obtain input from stakeholder communities to identify unacceptable use, in accordance with activities in the AI RMF Map function. GV-1.3-004]	Leadership and high level objectives	Preventive
Establish, implement, and maintain alert procedures. CC ID 12406 [{alert system} {no longer be used} Re-evaluate risks when adapting GAI models to new domains. Additionally, establish warning systems to determine if a GAI system is being used in a new domain where previous assumptions (relating to context of use or mapped risks such as security, and safety) may no longer hold. MP-4.1-008]	Leadership and high level objectives	Preventive
Include the criteria for notifications in the notification system. CC ID 17139	Leadership and high level objectives	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959	Leadership and high level objectives	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591 [Mechanisms are in place and applied to sustain the value of deployed ss="term_primary-noun">AI systems. Mechanisms are in place and applied to sustain the value of deployed AI systems. MANAGE 2.2:]	Leadership and high level objectives	Preventive
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Preventive
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002 Review and document accuracy, representativeness, relevance, suitability of data used at different stages of AI life cycle. MP-2.3-002]	Leadership and high level objectives	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Leadership and high level objectives	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [{internal use} When identifying intended purposes, consider factors such as internal vs. external use, narrow vs. broad application scope, fine-tuning, and varieties of data sources (e.g., grounding, retrieval-augmented generation). MP-1.1-001]	Leadership and high level objectives	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Preventive
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Legal and regulatory requirements involving AI are understood, managed, and B7D8ED;" class="term_primary-verb">documented. Legal and regulatory requirements involving AI are understood, managed, and documented. GOVERN 1.1:]	Leadership and high level objectives	Preventive
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Define any inventory exemptions in organizational policies for GAI systems embedded into application software. GV-1.6-002]	Leadership and high level objectives	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Leadership and high level objectives	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Leadership and high level objectives	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Leadership and high level objectives	Preventive
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 [Reevaluate organizational risk tolerances to account for unacceptable negative risk (such as where significant negative impacts are imminent, severe harms are actually occurring, or large-scale risks could occur); and broad GAI negative risks, including: Immature safety or risk cultures related to AI and GAI design, development and deployment, public information integrity risks, including impacts on democratic processes, unknown long-term performance characteristics of GAI. GV-1.3-006]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available. Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available. MEASURE 3.2: Ongoing monitoring and periodic review of the risk management process and its outcomes are planned, and organizational roles and responsibilities are clearly defined, including determining the frequency of periodic review. GOVERN 1.5:]	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Monitoring and measurement	Preventive
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Preventive
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Preventive
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Preventive
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Preventive
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 [Privacy risk of the AI system – as identified in the MAP function – is examined and le="background-color:#B7D8ED;" class="term_primary-verb">documented. Privacy risk of the AI system – as identified in the MAP function – is examined and documented. MEASURE 2.10:]	Monitoring and measurement	Preventive
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Preventive
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Preventive
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Preventive
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Preventive
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Preventive
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Preventive
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Preventive
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Preventive
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Preventive
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031	Monitoring and measurement	Preventive
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Monitoring and measurement	Preventive
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222	Monitoring and measurement	Preventive
Include the scope in the security assessment and authorization policy. CC ID 14220	Monitoring and measurement	Preventive
Include the purpose in the security assessment and authorization policy. CC ID 14219	Monitoring and measurement	Preventive
Include management commitment in the security assessment and authorization policy. CC ID 14189	Monitoring and measurement	Preventive
Include compliance requirements in the security assessment and authorization policy. CC ID 14183	Monitoring and measurement	Preventive
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179	Monitoring and measurement	Preventive
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056	Monitoring and measurement	Preventive
Document improvement actions based on test results and exercises. CC ID 16840	Monitoring and measurement	Preventive
Define the test requirements for each testing program. CC ID 13177 [Implement plans for GAI systems to undergo regular adversarial testing to identify vulnerabilities and potential manipulation or misuse. MP-2.3-005 Delineate human proficiency tests from tests of GAI capabilities. MP-3.4-004]	Monitoring and measurement	Preventive
Include mechanisms for emergency stops in the testing program. CC ID 14398	Monitoring and measurement	Preventive
Document the business need justification for authorized wireless access points. CC ID 12044	Monitoring and measurement	Preventive
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Monitoring and measurement	Preventive
Create technical documentation assessment certificates in an official language. CC ID 15110	Monitoring and measurement	Preventive
Define the test frequency for each testing program. CC ID 13176	Monitoring and measurement	Preventive
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Monitoring and measurement	Detective
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Monitoring and measurement	Preventive
Align the penetration test program with industry standards. CC ID 12469	Monitoring and measurement	Preventive
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Monitoring and measurement	Preventive
Include facilities in the business line testing strategy. CC ID 13253	Monitoring and measurement	Preventive
Include electrical systems in the business line testing strategy. CC ID 13251	Monitoring and measurement	Preventive
Include mechanical systems in the business line testing strategy. CC ID 13250	Monitoring and measurement	Preventive
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Monitoring and measurement	Preventive
Include emergency power supplies in the business line testing strategy. CC ID 13247	Monitoring and measurement	Preventive
Include environmental controls in the business line testing strategy. CC ID 13246	Monitoring and measurement	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Monitoring and measurement	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Monitoring and measurement	Preventive
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Monitoring and measurement	Preventive
Include the pass or fail test status in the test results. CC ID 17106	Monitoring and measurement	Preventive
Include time information in the test results. CC ID 17105	Monitoring and measurement	Preventive
Include a description of the system tested in the test results. CC ID 17104	Monitoring and measurement	Preventive
Recommend mitigation techniques based on penetration test results. CC ID 04881	Monitoring and measurement	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656 [Develop and validate approaches for measuring the success of content provenance management efforts with third parties (e.g., incidents detected and response times). GV-6.1-003 Develop and validate approaches for measuring the success of content provenance management efforts with third parties (e.g., incidents detected and response times). GV-6.1-003]	Monitoring and measurement	Preventive
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 [Establish policies for measuring the effectiveness of employed content provenance methodologies (e.g., cryptography, watermarking, steganography, etc.) GV4.3--001]	Monitoring and measurement	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [The risk management process and its outcomes are established through transparent policies, procedures, and other controls basedspan> on organizational risk priorities. The risk management process and its outcomes are established through transparent policies, procedures, and other controls based on organizational risk priorities. GOVERN 1.4:]	Audits and risk management	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Audits and risk management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Audits and risk management	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [Maintain an updated hierarchy of identified and expected GAI risks connected to contexts of GAI model advancement and use, potentially including specialized risk levels for GAI systems that address issues such as model collapse and algorithmic monoculture. GV-1.3-005]	Audits and risk management	Preventive
Document organizational risk criteria. CC ID 12277	Audits and risk management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Audits and risk management	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Detective
Update the risk assessment upon changes to the risk profile. CC ID 11627	Audits and risk management	Detective
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Preventive
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Audits and risk management	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Processes, procedures, and practices are in place to determine the needed level of ry-noun">risk management activities based on the organization's risk tolerance. Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization's risk tolerance. GOVERN 1.3: Procedures are followed to respond to and recover from a previously unknown risk when it is identified. Procedures are followed to respond to and recover from a previously unknown risk when it is identified. MANAGE 2.3:]	Audits and risk management	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Detective
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 [Include relevant AI Actors in the GAI system risk identification process. GV-4.2-002 Establish policies and procedures to test and manage risks related to rollover and fallback technologies for GAI systems, acknowledging that rollover and fallback may include manual processing. GV-6.2-006 Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party's intellectual property or other rights. MAP 4.1: {risk evaluation} Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations. GV-1.2-002]	Audits and risk management	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 [{be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience style="background-color:#F0BBBC;" class="term_primary-noun">expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2:]	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 [AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. MANAGE 3.1:]	Audits and risk management	Preventive
Establish, implement, and maintain a disclosure report. CC ID 15521	Audits and risk management	Preventive
Include metrics in the disclosure report. CC ID 15916 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Audits and risk management	Preventive
Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934	Audits and risk management	Preventive
Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632	Audits and risk management	Preventive
Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871	Audits and risk management	Preventive
Include the number of individuals in each region in the disclosure report. CC ID 15835	Audits and risk management	Preventive
Include the number of individuals in each gender category in the disclosure report. CC ID 15633	Audits and risk management	Preventive
Include the total number of incidents of discrimination in the disclosure report. CC ID 15788	Audits and risk management	Preventive
Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870	Audits and risk management	Preventive
Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869	Audits and risk management	Preventive
Include metrics criteria in the disclosure report. CC ID 16143	Audits and risk management	Preventive
Include risk management metrics in the disclosure report. CC ID 16345	Audits and risk management	Preventive
Include financial management metrics in the disclosure report. CC ID 16042	Audits and risk management	Preventive
Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104	Audits and risk management	Preventive
Include metrics on anti-corruption in the disclosure report. CC ID 16052	Audits and risk management	Preventive
Include environmental management metrics in the disclosure report. CC ID 16012	Audits and risk management	Preventive
Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041	Audits and risk management	Preventive
Include metrics on procurement practices in the disclosure report. CC ID 16011	Audits and risk management	Preventive
Include emissions management metrics in the disclosure report. CC ID 15987	Audits and risk management	Preventive
Include compliance metrics in the disclosure report. CC ID 15932	Audits and risk management	Preventive
Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548	Audits and risk management	Preventive
Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813	Audits and risk management	Preventive
Include metrics on labor-management relations in the disclosure report. CC ID 15935	Audits and risk management	Preventive
Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895	Audits and risk management	Preventive
Include waste management metrics in the disclosure report. CC ID 15925	Audits and risk management	Preventive
Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774	Audits and risk management	Preventive
Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781	Audits and risk management	Preventive
Include the total weight of waste generated in the disclosure report. CC ID 15778	Audits and risk management	Preventive
Include a breakdown of waste generated in the disclosure report. CC ID 15775	Audits and risk management	Preventive
Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772	Audits and risk management	Preventive
Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780	Audits and risk management	Preventive
Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770	Audits and risk management	Preventive
Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771	Audits and risk management	Preventive
Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766	Audits and risk management	Preventive
Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767	Audits and risk management	Preventive
Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768	Audits and risk management	Preventive
Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769	Audits and risk management	Preventive
Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777	Audits and risk management	Preventive
Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776	Audits and risk management	Preventive
Include product and service management metrics in the disclosure report. CC ID 15917	Audits and risk management	Preventive
Include the number of products and services provided by the organization in the disclosure report. CC ID 15833	Audits and risk management	Preventive
Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811	Audits and risk management	Preventive
Include water management metrics in the disclosure report. CC ID 15924	Audits and risk management	Preventive
Include the total water withdrawal in the disclosure report. CC ID 15593	Audits and risk management	Preventive
Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596	Audits and risk management	Preventive
Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794	Audits and risk management	Preventive
Include a breakdown of water withdrawal in the disclosure report. CC ID 15795	Audits and risk management	Preventive
Include the total water discharge in the disclosure report. CC ID 15758	Audits and risk management	Preventive
Include a breakdown of water discharge in the disclosure report. CC ID 15759	Audits and risk management	Preventive
Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760	Audits and risk management	Preventive
Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797	Audits and risk management	Preventive
Include the total water consumption in the disclosure report. CC ID 15642	Audits and risk management	Preventive
Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598	Audits and risk management	Preventive
Include the total number of complaints received in the disclosure report. CC ID 15728	Audits and risk management	Preventive
Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643	Audits and risk management	Preventive
Include employment practices metrics in the disclosure report. CC ID 15921	Audits and risk management	Preventive
Include the rate of employee turnover in the disclosure report. CC ID 15898	Audits and risk management	Preventive
Include the total number of new employee hires in the disclosure report. CC ID 15896	Audits and risk management	Preventive
Include the total number of employees in the disclosure report. CC ID 15834	Audits and risk management	Preventive
Include metrics on parental leave in the disclosure report. CC ID 15936	Audits and risk management	Preventive
Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906	Audits and risk management	Preventive
Include the number of hours worked in the disclosure report. CC ID 15910	Audits and risk management	Preventive
Include metrics on public policy advocacy in the disclosure report. CC ID 15947	Audits and risk management	Preventive
Include the total monetary value of political contributions in the disclosure report. CC ID 15803	Audits and risk management	Preventive
Include metrics on training and education in the disclosure report. CC ID 15940	Audits and risk management	Preventive
Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877	Audits and risk management	Preventive
Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881	Audits and risk management	Preventive
Include operational metrics in the disclosure report. CC ID 15939	Audits and risk management	Preventive
Include incident management metrics in the disclosure report. CC ID 15926	Audits and risk management	Preventive
Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618	Audits and risk management	Preventive
Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606	Audits and risk management	Preventive
Include the total number of operations performed by the organization in the disclosure report. CC ID 15831	Audits and risk management	Preventive
Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933	Audits and risk management	Preventive
Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557	Audits and risk management	Preventive
Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729	Audits and risk management	Preventive
Include the number of content removal requests in the disclosure report. CC ID 15647	Audits and risk management	Preventive
Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640	Audits and risk management	Preventive
Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542	Audits and risk management	Preventive
Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543	Audits and risk management	Preventive
Include third party management metrics in the disclosure report. CC ID 15923	Audits and risk management	Preventive
Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837	Audits and risk management	Preventive
Include metrics on supplier social assessments in the disclosure report. CC ID 15938	Audits and risk management	Preventive
Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808	Audits and risk management	Preventive
Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807	Audits and risk management	Preventive
Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806	Audits and risk management	Preventive
Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805	Audits and risk management	Preventive
Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810	Audits and risk management	Preventive
Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937	Audits and risk management	Preventive
Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884	Audits and risk management	Preventive
Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883	Audits and risk management	Preventive
Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886	Audits and risk management	Preventive
Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885	Audits and risk management	Preventive
Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887	Audits and risk management	Preventive
Include customer health and safety management metrics in the disclosure report. CC ID 15922	Audits and risk management	Preventive
Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814	Audits and risk management	Preventive
Include energy management metrics in the disclosure report. CC ID 15920	Audits and risk management	Preventive
Include the total energy reduction in the disclosure report. CC ID 15749	Audits and risk management	Preventive
Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751	Audits and risk management	Preventive
Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750	Audits and risk management	Preventive
Include the total heating sold in the disclosure report. CC ID 15739	Audits and risk management	Preventive
Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746	Audits and risk management	Preventive
Include the total electricity sold in the disclosure report. CC ID 15740	Audits and risk management	Preventive
Include the total energy consumption in the disclosure report. CC ID 15506	Audits and risk management	Preventive
Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744	Audits and risk management	Preventive
Include the total heating consumption in the disclosure report. CC ID 15743	Audits and risk management	Preventive
Include the total cooling sold in the disclosure report. CC ID 15738	Audits and risk management	Preventive
Include the total cooling consumption in the disclosure report. CC ID 15742	Audits and risk management	Preventive
Include the total steam sold in the disclosure report. CC ID 15737	Audits and risk management	Preventive
Include the total steam consumption in the disclosure report. CC ID 15741	Audits and risk management	Preventive
Include the fuel types used in the disclosure report. CC ID 15745	Audits and risk management	Preventive
Include materials management metrics in the disclosure report. CC ID 15919	Audits and risk management	Preventive
Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791	Audits and risk management	Preventive
Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562	Audits and risk management	Preventive
Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792	Audits and risk management	Preventive
Include occupational health and safety management metrics in the disclosure report. CC ID 15918	Audits and risk management	Preventive
Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891	Audits and risk management	Preventive
Include the total number of work-related injuries in the disclosure report. CC ID 15899	Audits and risk management	Preventive
Include the number of cases of work-related ill health in the disclosure report. CC ID 15914	Audits and risk management	Preventive
Include how material topics are managed in the disclosure report. CC ID 15657	Audits and risk management	Preventive
Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 [Observe and analyze how the GAI system interacts with external networks, and identify any potential for negative externalities, particularly where content provenance might be compromised. MP-2.2-002]	Audits and risk management	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [Establish terms of use and terms of service for GAI systems. GV-4.2-001]	Technical security	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Technical security	Preventive
Establish, implement, and maintain a network configuration standard. CC ID 00530	Technical security	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059 [{data flow} Institute test and evaluation for data and content flows within the GAI system, including but not limited to, original data sources, data transformations, and decision-making criteria. MP-2.1-002]	Technical security	Preventive
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Technical security	Detective
Include information flows to third parties in the data flow diagram. CC ID 13185	Technical security	Preventive
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Technical security	Preventive
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 [Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. GOVERN 1.7: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. MANAGE 2.4:]	Physical and environmental protection	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [Contingency processes are in place to handle failures or incidents in third-party data or nd-color:#F0BBBC;" class="term_primary-noun">AI systems deemed to be high-risk. Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk. GOVERN 6.2:]	Operational and Systems Continuity	Preventive
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Operational and Systems Continuity	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Operational and Systems Continuity	Preventive
Document and use the lessons learned to update the continuity plan. CC ID 10037	Operational and Systems Continuity	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Operational and Systems Continuity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Operational and Systems Continuity	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Operational and Systems Continuity	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Operational and Systems Continuity	Corrective
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Operational and Systems Continuity	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Operational and Systems Continuity	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Operational and Systems Continuity	Preventive
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288	Operational and Systems Continuity	Preventive
Include procedures to restore system interconnections in the recovery plan. CC ID 17100	Operational and Systems Continuity	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Preventive
Include voltage and frequency requirements in the recovery plan. CC ID 17098	Operational and Systems Continuity	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Preventive
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Detective
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Operational and Systems Continuity	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Operational and Systems Continuity	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Operational and Systems Continuity	Preventive
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393	Operational and Systems Continuity	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368 [Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. GOVERN 3.2: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate d-color:#F0BBBC;" class="term_primary-noun">AI systems that demonstrate performance or outcomes inconsistent with intended use. Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. MANAGE 2.4:]	Human Resources management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Preventive
Document all training in a training record. CC ID 01423	Human Resources management	Detective
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Preventive
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 [{risk evaluation} Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations. GV-1.2-002]	Human Resources management	Preventive
Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267	Human Resources management	Preventive
Include risks and opportunities in the occupational health and safety policy. CC ID 16287	Human Resources management	Preventive
Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262	Human Resources management	Preventive
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073	Human Resources management	Preventive
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802	Human Resources management	Preventive
Establish, implement, and maintain food preparation procedures. CC ID 06804	Human Resources management	Preventive
Establish, implement, and maintain food handling procedures. CC ID 11765	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489 [Organizational practices are in place to enable AI testing, identification of incidents, and n style="background-color:#F0BBBC;" class="term_primary-noun">information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3: Verify information sharing and feedback mechanisms among individuals and organizations regarding any negative impact from GAI systems. GV-4.3-003]	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, style="background-color:#F0BBBC;" class="term_primary-noun">appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Operational management	Preventive
Include data localization requirements in the information security policy. CC ID 16932	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967 [{internal use} When identifying intended purposes, consider factors such as internal vs. external use, narrow vs. broad application scope, fine-tuning, and varieties of data sources (e.g., grounding, retrieval-augmented generation). MP-1.1-001]	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Define acceptable use policies for GAI interfaces, modalities, and human-AI configurations (i.e., for chatbots and decision-making tasks), including criteria for the kinds of queries GAI applications should refuse to respond to. GV-3.2-003 {be transparent} {be illegal} Establish transparent acceptable use policies for GAI that address illegal use or applications of GAI. GV-1.4-002 Update GAI acceptable use policies to address proprietary and open-source GAI technologies and data, and contractors, consultants, and other third-party personnel. GV-6.1-010]	Operational management	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Corrective
Include usage restrictions in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003 Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party's intellectual property or other rights. MAP 4.1: Implement policies and practices defining how third-party intellectual property and training data will be used, stored, and protected. MP-4.1-006]	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Fairness and bias – as identified in the MAP function – are evaluated and results are documented. Fairness and bias – as identified in the MAP function – are evaluated and results are documented. MEASURE 2.11: Fairness and bias – as identified in the MAP function – are evaluated and results are ckground-color:#CBD0E5;" class="term_secondary-verb">term_primary-verb">documented. Fairness and bias – as identified in the MAP function – are evaluated and results are documented. MEASURE 2.11:]	Operational management	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI system inventory requirements to account for GAI risks. GV-1.6-001 In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Operational management	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Preventive
Include software in the Information Technology inventory. CC ID 00692	Operational management	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Preventive
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 [Mechanisms are in place to inventory AI systems and are resourced according to organizational risk class="term_primary-noun">priorities. Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities. GOVERN 1.6:]	Operational management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Preventive
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Preventive
Record the software version in the asset inventory. CC ID 12196	Operational management	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856	Operational management	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Preventive
Include a definition of affected transactions in the incident criteria. CC ID 17180	Operational management	Preventive
Include a definition of affected parties in the incident criteria. CC ID 17179	Operational management	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Organizational practices are in place to enable AI testing, identification of e="background-color:#F0BBBC;" class="term_primary-noun">incidents, and information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3:]	Operational management	Preventive
Define and document the criteria to be used in categorizing incidents. CC ID 10033	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Preventive
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Corrective
Include information required by law in incident response notifications. CC ID 00802	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Preventive
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Preventive
Include response times in the containment strategy. CC ID 13485	Operational management	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Preventive
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Preventive
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Preventive
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Operational management	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Preventive
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Establish organizational roles, policies, and procedures for communicating GAI incidents and performance to AI Actors and downstream stakeholders (including those potentially impacted), via community or official resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor). GV-2.1-001]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579 [Establish procedures to engage teams for GAI system incident response with diverse composition and responsibilities based on the particular incident type. GV-2.1-002 Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Operational management	Preventive
Create an incident response report. CC ID 12700	Operational management	Preventive
Include how the incident was discovered in the incident response report. CC ID 16987	Operational management	Preventive
Include the categories of data that were compromised in the incident response report. CC ID 16985	Operational management	Preventive
Include disciplinary actions taken in the incident response report. CC ID 16810	Operational management	Preventive
Include the persons responsible for the incident in the incident response report. CC ID 16808	Operational management	Preventive
Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789	Operational management	Preventive
Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728	Operational management	Preventive
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727	Operational management	Preventive
Include investments associated with the incident in the incident response report. CC ID 12726	Operational management	Preventive
Include costs associated with the incident in the incident response report. CC ID 12725	Operational management	Preventive
Include losses due to the incident in the incident response report. CC ID 12724	Operational management	Preventive
Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735	Operational management	Preventive
Include foregone revenue from the incident in the incident response report. CC ID 12723	Operational management	Preventive
Include the magnitude of the incident in the incident response report. CC ID 12722	Operational management	Preventive
Include implications of the incident in the incident response report. CC ID 12721	Operational management	Preventive
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720	Operational management	Preventive
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719	Operational management	Preventive
Include information on all affected assets in the incident response report. CC ID 12718	Operational management	Preventive
Include the scope of the incident in the incident response report. CC ID 12717	Operational management	Preventive
Include the duration of the incident in the incident response report. CC ID 12716	Operational management	Preventive
Include the extent of the incident in the incident response report. CC ID 12715	Operational management	Preventive
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714	Operational management	Preventive
Include the reasons the incident occurred in the incident response report. CC ID 12711	Operational management	Preventive
Include the frequency of similar incidents occurring in the incident response report. CC ID 12712	Operational management	Preventive
Include lessons learned from the incident in the incident response report. CC ID 12713	Operational management	Preventive
Include where the incident occurred in the incident response report. CC ID 12710	Operational management	Preventive
Include when the incident occurred in the incident response report. CC ID 12709	Operational management	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708	Operational management	Preventive
Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704	Operational management	Preventive
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703	Operational management	Preventive
Include an executive summary of the incident in the incident response report. CC ID 12702	Operational management	Preventive
Include a root cause analysis of the incident in the incident response report. CC ID 12701	Operational management	Preventive
Define target resolution times for incident response in the Incident Response program. CC ID 13072	Operational management	Preventive
Establish, implement, and maintain an incident response plan. CC ID 12056	Operational management	Preventive
Include addressing external communications in the incident response plan. CC ID 13351	Operational management	Preventive
Include addressing internal communications in the incident response plan. CC ID 13350	Operational management	Preventive
Include change control procedures in the incident response plan. CC ID 15479	Operational management	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349	Operational management	Preventive
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Operational management	Preventive
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Operational management	Preventive
Include the management support needed for incident response in the incident response plan. CC ID 14300	Operational management	Preventive
Include root cause analysis in the incident response plan. CC ID 16423	Operational management	Preventive
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Operational management	Preventive
Include the resources needed for incident response in the incident response plan. CC ID 14292	Operational management	Preventive
Establish, implement, and maintain a cyber incident response plan. CC ID 13286	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Operational management	Preventive
Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385	Operational management	Preventive
Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789	Operational management	Preventive
Include identifying remediation actions in the incident response plan. CC ID 13354	Operational management	Preventive
Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776	Operational management	Preventive
Include log management procedures in the incident response program. CC ID 17081	Operational management	Preventive
Include coverage of all system components in the Incident Response program. CC ID 11955	Operational management	Preventive
Prepare for incident response notifications. CC ID 00584	Operational management	Preventive
Include incident response team services in the Incident Response program. CC ID 11766	Operational management	Preventive
Include the incident response training program in the Incident Response program. CC ID 06750	Operational management	Preventive
Establish, implement, and maintain an incident response policy. CC ID 14024 [Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities. GV-1.3-003]	Operational management	Preventive
Include compliance requirements in the incident response policy. CC ID 14108	Operational management	Preventive
Include coordination amongst entities in the incident response policy. CC ID 14107	Operational management	Preventive
Include management commitment in the incident response policy. CC ID 14106	Operational management	Preventive
Include roles and responsibilities in the incident response policy. CC ID 14105	Operational management	Preventive
Include the scope in the incident response policy. CC ID 14104	Operational management	Preventive
Include the purpose in the incident response policy. CC ID 14101	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206	Operational management	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Preventive
Include business continuity procedures in the Incident Response program. CC ID 06433	Operational management	Preventive
Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432	Operational management	Preventive
Include business recovery procedures in the Incident Response program. CC ID 11774	Operational management	Preventive
Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652	Operational management	Preventive
Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686	Operational management	Detective
Define the business scenarios that require digital forensic evidence. CC ID 08653	Operational management	Preventive
Define the circumstances for collecting digital forensic evidence. CC ID 08657	Operational management	Preventive
Document the legal requirements for evidence collection. CC ID 08654	Operational management	Preventive
Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655	Operational management	Preventive
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Operational management	Preventive
Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693	Operational management	Detective
Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679	Operational management	Detective
Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676	Operational management	Detective
Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680	Operational management	Detective
Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695	Operational management	Detective
Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696	Operational management	Detective
Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215	Operational management	Preventive
Establish, implement, and maintain a performance management standard. CC ID 01615 [Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/"no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks. GV-1.3-002 Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/"no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks. GV-1.3-002]	Operational management	Preventive
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679	Operational management	Preventive
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619	Operational management	Preventive
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886	Operational management	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623 [Document GAI risks associated with system value chain to identify over-reliance on third-party data and to identify fallbacks. GV-6.2-001]	Operational management	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Preventive
Approve back-out plans, as necessary. CC ID 13627	Operational management	Corrective
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Preventive
Establish and maintain a service catalog. CC ID 13634	Operational management	Preventive
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Operational management	Preventive
Withdraw the technical documentation assessment certificate when the artificial intelligence system is not in compliance with requirements. CC ID 15099	Operational management	Preventive
Define a high-risk artificial intelligence system. CC ID 14959	Operational management	Preventive
Include the scope in the environmental management system. CC ID 14950	Operational management	Preventive
Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are verb">assessed and documented. Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are assessed and documented. MEASURE 2.12: Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are verb">assessed and documented. Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are assessed and documented. MEASURE 2.12:]	Operational management	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Preventive
Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130	System hardening through configuration management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective
Establish, implement, and maintain a data retention program. CC ID 00906 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Records management	Detective
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain document retention procedures. CC ID 11660 [Maintain a document retention policy to keep history for test, evaluation, validation, and verification (TEVV), and digital content transparency methods for GAI. GV-1.5-003]	Records management	Preventive
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386	Systems design, build, and implementation	Preventive
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045	Systems design, build, and implementation	Preventive
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a security controls definition document. CC ID 01080	Systems design, build, and implementation	Preventive
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Systems design, build, and implementation	Preventive
Include naming conventions in system design guidelines. CC ID 13656	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Systems design, build, and implementation	Preventive
Establish and maintain an input requirements definition document. CC ID 01071	Systems design, build, and implementation	Preventive
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system use training plan. CC ID 01089 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Systems design, build, and implementation	Preventive
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Systems design, build, and implementation	Preventive
Include the physical design characteristics in the system design specification. CC ID 06927	Systems design, build, and implementation	Preventive
Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759	Systems design, build, and implementation	Preventive
Define and document organizational structures for the System Development Life Cycle program. CC ID 12549	Systems design, build, and implementation	Preventive
Include system and network monitoring reporting lines in the System Development Life Cycle documentation. CC ID 12562	Systems design, build, and implementation	Preventive
Include system maintenance authorities in the System Development Life Cycle documentation. CC ID 12566	Systems design, build, and implementation	Preventive
Include system development reporting lines in the System Development Life Cycle documentation. CC ID 12559	Systems design, build, and implementation	Preventive
Include system design reporting lines in the System Development Life Cycle documentation. CC ID 12558	Systems design, build, and implementation	Preventive
Include system development authorities in the System Development Life Cycle documentation. CC ID 12564	Systems design, build, and implementation	Preventive
Include system design authorities in the System Development Life Cycle documentation. CC ID 12572	Systems design, build, and implementation	Preventive
Include system and network monitoring authorities in the System Development Life Cycle documentation. CC ID 12568	Systems design, build, and implementation	Preventive
Include system operation authorities in the System Development Life Cycle documentation. CC ID 12567	Systems design, build, and implementation	Preventive
Include system maintenance responsibilities in the System Development Life Cycle documentation. CC ID 12556	Systems design, build, and implementation	Preventive
Include system implementation authorities in the System Development Life Cycle documentation. CC ID 12565	Systems design, build, and implementation	Preventive
Include system and network monitoring responsibilities in the System Development Life Cycle documentation. CC ID 12557	Systems design, build, and implementation	Preventive
Include system operation responsibilities in the System Development Life Cycle documentation. CC ID 12563	Systems design, build, and implementation	Preventive
Include system maintenance reporting lines in the System Development Life Cycle documentation. CC ID 12555	Systems design, build, and implementation	Preventive
Include system operation reporting lines in the System Development Life Cycle documentation. CC ID 12561	Systems design, build, and implementation	Preventive
Include system implementation reporting lines in the System Development Life Cycle documentation. CC ID 12560	Systems design, build, and implementation	Preventive
Define and document organizational structures for system and network monitoring. CC ID 12554	Systems design, build, and implementation	Preventive
Define and document organizational structures for systems operations. CC ID 12553	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a full set of system procedures. CC ID 01074	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a physical, electrical, and logical interface specification. CC ID 01075	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a user-machine interaction specification. CC ID 01076	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a processing requirements definition document. CC ID 01077	Systems design, build, and implementation	Preventive
Establish, implement, and maintain an output requirements definition document. CC ID 01078	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a database management standard. CC ID 01079	Systems design, build, and implementation	Preventive
Establish, implement, and maintain system design requirements. CC ID 06618 [Scientific integrity and TEVV considerations are identified and documented, including those related to experimental design, data collection and selection (e.g., availability, representativeness, suitability), system trustworthiness, and construct validation MAP 2.3:]	Systems design, build, and implementation	Preventive
Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922	Systems design, build, and implementation	Detective
Document stakeholder requirements and how they influence system design requirements. CC ID 06925	Systems design, build, and implementation	Preventive
Document legal requirements and how they influence system design requirements. CC ID 11793	Systems design, build, and implementation	Preventive
Identify and document system design constraints. CC ID 06923	Systems design, build, and implementation	Preventive
Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution. CC ID 06928 [{be reliable} The AI system to be deployed is demonstrated to be valid and reliable. Limitations of the generalizability beyond the conditions under which the technology was developed are -verb">documented. MEASURE 2.5:]	Systems design, build, and implementation	Preventive
Identify and document system development constraints. CC ID 11698	Systems design, build, and implementation	Preventive
Identify and document the system boundaries of the system design project. CC ID 06924	Systems design, build, and implementation	Preventive
Review the degree of human intervention and control points in the system design requirements. CC ID 13536	Systems design, build, and implementation	Detective
Establish, implement, and maintain a system design project management framework. CC ID 00990	Systems design, build, and implementation	Preventive
Include the threats and risks associated with the system development project in the project feasibility study. CC ID 11797 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2:]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain project management standards. CC ID 00992	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a project test plan. CC ID 01001 [Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities. GV-1.3-003]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system design specification. CC ID 04557	Systems design, build, and implementation	Preventive
Establish, implement, and maintain system testing procedures. CC ID 11744 [Organizational practices are in place to enable class="term_primary-noun">AI testing, identification of incidents, and information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3: AI system security and resilience – as identified in the MAP function – are evaluatedan> and documented. AI system security and resilience – as identified in the MAP function – are evaluated and documented. MEASURE 2.7:]	Systems design, build, and implementation	Preventive
Evaluate and document all known code anomalies and code deficiencies. CC ID 06611	Systems design, build, and implementation	Preventive
Establish, implement, and maintain poor quality material removal procedures. CC ID 06214	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system testing program for all system development projects. CC ID 01101 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or ">assurance criteriaspan> are ="background-color:#B7D8ED;" class="term_primary-verb">measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Systems design, build, and implementation	Preventive
Establish and maintain technical documentation. CC ID 15005 [Intended purposes, potentially beneficial uses, context specific laws, norms and expectations, and prospective settings in which the AI system will be deployed are understood and documented. Considerations include: the specific set or types of users along with their expectations; potential positive and negative impacts of system uses to individuals, communities, organizations, society, and the planet; assumptions and related limitations about AI system purposes, uses, and risks across the development or product AI lifecycle; and related TEVV and system metrics. MAP 1.1:]	Systems design, build, and implementation	Preventive
Retain technical documentation on the premises where the artificial intelligence system is located. CC ID 15104	Systems design, build, and implementation	Preventive
Include the risk mitigation measures in the technical documentation. CC ID 17246	Systems design, build, and implementation	Preventive
Include the intended outputs of the system in the technical documentation. CC ID 17245	Systems design, build, and implementation	Preventive
Include the limitations of the system in the technical documentation. CC ID 17242	Systems design, build, and implementation	Preventive
Include the types of data used to train the artificial intelligence system in the technical documentation. CC ID 17241	Systems design, build, and implementation	Preventive
Include all required information in the technical documentation. CC ID 15094	Systems design, build, and implementation	Preventive
Include information that demonstrates compliance with requirements in the technical documentation. CC ID 15088	Systems design, build, and implementation	Preventive
Establish, implement, and maintain system acquisition contracts. CC ID 14758	Acquisition or sale of facilities, technology, and services	Preventive
Include security requirements in system acquisition contracts. CC ID 01124	Acquisition or sale of facilities, technology, and services	Preventive
Require the information system developer to create a continuous monitoring plan. CC ID 14307 [Post-deployment AI system monitoring plans are ass="term_primary-verb">implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Acquisition or sale of facilities, technology, and services	Preventive
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Acquisition or sale of facilities, technology, and services	Preventive
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Acquisition or sale of facilities, technology, and services	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Acquisition or sale of facilities, technology, and services	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Acquisition or sale of facilities, technology, and services	Preventive
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Detective
Establish, implement, and maintain organizational documents. CC ID 16202 [Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and style="backgrpan>ound-color:#B7D8ED;" class="term_primary-verb">taking round-color:#F0BBBC;" class="term_primary-noun">subsequent actions. Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI Actors when making decisions and taking subsequent actions. MAP 2.2: Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is " class="termn style="background-color:#CBD0E5;" class="term_secondary-verb">_primary-verb">documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and taking subsequent actions. Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI Actors when making decisions and taking subsequent actions. MAP 2.2:]	Harmonization Methods and Manual of Style	Preventive
Use unique titles for organizational documents. CC ID 16289	Harmonization Methods and Manual of Style	Preventive
Write organizational documents using clear and conspicuous language. CC ID 16281	Harmonization Methods and Manual of Style	Preventive
Write organizational documents using information that is free from bias. CC ID 16341	Harmonization Methods and Manual of Style	Preventive
Include the publication date on organizational documents. CC ID 16269	Harmonization Methods and Manual of Style	Preventive
Include version control on organizational documents. CC ID 16268	Harmonization Methods and Manual of Style	Preventive
Include the version number on organizational documents. CC ID 16266	Harmonization Methods and Manual of Style	Preventive
Include the author's name and job title on organizational documents. CC ID 16265	Harmonization Methods and Manual of Style	Preventive
Include a record of changes in organizational documents. CC ID 16252	Harmonization Methods and Manual of Style	Preventive
Include page numbers in the record of changes. CC ID 16280	Harmonization Methods and Manual of Style	Preventive
Include change comments in the record of changes. CC ID 16279	Harmonization Methods and Manual of Style	Preventive
Include the date of the change in the record of changes. CC ID 16278	Harmonization Methods and Manual of Style	Preventive
Organize all compliance documents. CC ID 06096	Harmonization Methods and Manual of Style	Preventive
Organize all compliance documents to fit the message. CC ID 06097	Harmonization Methods and Manual of Style	Preventive
Identify the target audience for compliance documents. CC ID 06108	Harmonization Methods and Manual of Style	Preventive
Define the structure for compliance documents and governance documents. CC ID 06111	Harmonization Methods and Manual of Style	Preventive
Subordinate the structure of the compliance document to fit the topic. CC ID 06109	Harmonization Methods and Manual of Style	Preventive
Define visual and formatting styles for all structured headings. CC ID 06110	Harmonization Methods and Manual of Style	Preventive
Define the section heading style, if section headings are being used. CC ID 06112	Harmonization Methods and Manual of Style	Preventive
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113	Harmonization Methods and Manual of Style	Preventive
Place the table of contents at the document's beginning. CC ID 06114	Harmonization Methods and Manual of Style	Preventive
Add term definitions to the document's end. CC ID 06115	Harmonization Methods and Manual of Style	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Include contingency plans in the third party management plan. CC ID 10030	Third Party and supply chain oversight	Preventive
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [Include clauses in contracts which allow an organization to evaluate third-party GAI processes and standards. GV-6.1-006]	Third Party and supply chain oversight	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Preventive
Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187	Third Party and supply chain oversight	Preventive
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Third Party and supply chain oversight	Preventive
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Third Party and supply chain oversight	Preventive
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Third Party and supply chain oversight	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Third Party and supply chain oversight	Preventive
Document and maintain records of supply chain transactions in a transaction file. CC ID 08858	Third Party and supply chain oversight	Preventive
Review transaction files for compliance with the supply chain audit standard. CC ID 08864	Third Party and supply chain oversight	Preventive
Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865	Third Party and supply chain oversight	Preventive
Define the traceability documentation required for chain of custody certification. CC ID 08895	Third Party and supply chain oversight	Preventive
Collect and disclose documentation of security forces to purchasers. CC ID 08887	Third Party and supply chain oversight	Preventive
Review documentation that justifies the sourcing and chain of custody. CC ID 08899	Third Party and supply chain oversight	Preventive
Create an on-site mine visit report. CC ID 08921	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Preventive
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Monitoring and measurement	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 [{appropriate person} Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates. Domain experts, users, AI Actors external to the team that developed or deployed the AI system, and affected communities are consulted in support of le="background-color:#F0BBBC;" class="term_primary-noun">assessments as necessary per organizational risk tolerance. MEASURE 1.3:]	Human Resources management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 [Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are or:#B7D8ED;" class="term_primary-verb">documented and are clear to individuals and teams throughout the organization. Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. GOVERN 2.1:]	Human Resources management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Define organizational responsibilities for periodic review of content provenance and incident monitoring for GAI systems. GV-1.5-001]	Human Resources management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources management	Preventive
Document the use of external experts. CC ID 16263	Human Resources management	Preventive
Define and assign roles and responsibilities for the biometric system. CC ID 17004	Human Resources management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are or:#B7D8ED;" class="term_primary-verb">documented and are clear to individuals and teams throughout the organization. Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. GOVERN 2.1: {be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their ;" class="term_primary-noun">participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2: Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts ckground-color:#B7D8ED;" class="term_primary-verb">are in -verb">place> and documented. Practices and personnel for supporting regular engagement with relevant AI Actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. MAP 5.2: When systems may raise national security risks, involve national security professionals in mapping, measuring, and managing those risks. GV-2.1-004 Establish and empower interdisciplinary teams that reflect a wide range of capabilities, competencies, demographic groups, domain expertise, educational backgrounds, lived experiences, professions, and skills across the enterprise to inform and conduct risk measurement and management functions. MP-1.2-001]	Human Resources management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources management	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources management	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources management	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources management	Preventive
Support certification programs as viable training programs. CC ID 13268 [Develop certification programs that test proficiency in managing GAI risks and interpreting content provenance, relevant to specific industry and context. MP-3.4-003]	Human Resources management	Preventive
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Preventive
Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550	Human Resources management	Preventive
Provide protective face masks for critical personnel, as necessary. CC ID 06803	Human Resources management	Preventive
Vaccinate critical employees, as necessary. CC ID 06805	Human Resources management	Preventive
Establish, implement, and maintain a travel program for all personnel. CC ID 10597	Human Resources management	Preventive
Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076	Human Resources management	Preventive
Establish, implement, and maintain an ethics program. CC ID 11496	Human Resources management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Operational management	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Corrective
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Operational management	Preventive
Implement measures to enable personnel assigned to human oversight to be aware of the possibility of automatically relying or over-relying on outputs to make decisions. CC ID 15091	Operational management	Preventive
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069	Systems design, build, and implementation	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Harmonization Methods and Manual of Style CC ID 06095	Harmonization Methods and Manual of Style	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Rank discovered vulnerabilities. CC ID 11940	Monitoring and measurement	Detective
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Audits and risk management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Detective
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Detective
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Detective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Detective
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Detective
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Preventive
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Detective
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Detective
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Operational management	Detective
Protect devices containing digital forensic evidence during transport. CC ID 08687	Operational management	Detective
Protect devices containing digital forensic evidence in sealed containers. CC ID 08685	Operational management	Detective
Conduct forensic investigations in the event of a security compromise. CC ID 11951	Operational management	Corrective
Identify potential sources of digital forensic evidence. CC ID 08651	Operational management	Preventive
Prepare digital forensic equipment. CC ID 08688	Operational management	Detective
Use digital forensic equipment suitable to the circumstances. CC ID 08690	Operational management	Detective
Provide relevant user manuals for digital forensic equipment during use. CC ID 08691	Operational management	Detective
Maintain digital forensic equipment for proper performance. CC ID 08689	Operational management	Detective
Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671	Operational management	Detective
Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672	Operational management	Detective
Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675	Operational management	Detective
Secure devices containing digital forensic evidence. CC ID 08681	Operational management	Detective
Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692	Operational management	Detective
Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684	Operational management	Detective
Create a system image of the device before collecting digital forensic evidence. CC ID 08673	Operational management	Detective
Shut down stand alone devices containing digital forensic evidence. CC ID 08682	Operational management	Detective
Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697	Operational management	Detective
Place evidence tape over devices containing digital forensic evidence. CC ID 08683	Operational management	Detective
Assess consumer complaints and litigation. CC ID 16521	Acquisition or sale of facilities, technology, and services	Preventive
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Monitoring and measurement	Preventive
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Monitoring and measurement	Detective
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Monitoring and measurement	Detective
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Monitoring and measurement	Detective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Preventive
Include time information in the chain of custody. CC ID 17068	Operational management	Preventive
Include actions performed on evidence in the chain of custody. CC ID 17067	Operational management	Preventive
Include individuals who had custody of evidence in the chain of custody. CC ID 17066	Operational management	Preventive
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Detective
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Detective

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Follow the maintenance schedule. CC ID 11791	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Leadership and high level objectives	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Leadership and high level objectives	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Leadership and high level objectives	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Leadership and high level objectives	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Leadership and high level objectives	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Preventive
Monitor and evaluate system performance. CC ID 00651 [Pre-trained models which are used for development are erm_primary-verb">monitored as part of AI system regular monitoring and maintenance. Pre-trained models which are used for development are monitored as part of AI system regular monitoring and maintenance. MANAGE 3.2:]	Monitoring and measurement	Detective
Monitor the organization's exposure to threats, as necessary. CC ID 06494	Monitoring and measurement	Preventive
Monitor and evaluate environmental threats. CC ID 13481	Monitoring and measurement	Detective
Monitor for new vulnerabilities. CC ID 06843	Monitoring and measurement	Preventive
Monitor devices continuously for conformance with production specifications. CC ID 06201	Monitoring and measurement	Detective
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428	Monitoring and measurement	Corrective
Report known security issues to interested personnel and affected parties on a regular basis. CC ID 12329 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Monitoring and measurement	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Operational and Systems Continuity	Detective
Record business continuity management system performance for posterity. CC ID 12411	Operational and Systems Continuity	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Corrective
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Detective
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861	Operational management	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Corrective
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Detective
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Preventive
Establish, implement, and maintain a post-market monitoring system. CC ID 15050	Operational management	Preventive
Establish, implement, and maintain data accuracy controls. CC ID 00921 [Establish known assumptions and practices for determining data origin and content lineage, for documentation and evaluation purposes. MP-2.1-001]	Records management	Detective
Check communications for take-down requests. CC ID 09964	Acquisition or sale of facilities, technology, and services	Preventive
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Corrective
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Detective
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Detective

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and environmental protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Operational and Systems Continuity	Preventive
Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074	Human Resources management	Preventive
Install duress alarms in susceptible public areas. CC ID 06075	Human Resources management	Preventive
Conduct environmental surveys. CC ID 00690	Operational management	Preventive
Ensure the storage conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15030	Operational management	Detective
Include anti-counterfeit measures in the system requirements specification. CC ID 11547	Systems design, build, and implementation	Preventive
Include anti-counterfeit measures that resist reverse engineering in the system requirements specification. CC ID 11548	Systems design, build, and implementation	Preventive
Include anti-counterfeit measures that are apparent to anti-counterfeit authentication testing in the system requirements specification. CC ID 11549	Systems design, build, and implementation	Preventive
Include anti-counterfeit measures that are interdependent between material goods and the anti-counterfeit authentication test in the system requirements specification. CC ID 11550	Systems design, build, and implementation	Preventive
Include anti-counterfeit measures that allow product characteristic change detection as the result of an attack in the system requirements specification. CC ID 11551	Systems design, build, and implementation	Preventive
Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552	Systems design, build, and implementation	Preventive
Analyze anti-counterfeit measures for their longevity. CC ID 11553	Systems design, build, and implementation	Preventive
Disallow reuse of anti-counterfeit measures absent authentication. CC ID 11554	Systems design, build, and implementation	Preventive
Include anti-counterfeit measures to be compatible with material goods associated with the product in the system requirements specification. CC ID 11555	Systems design, build, and implementation	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Corrective
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Preventive
Identify risk management measures when testing in scope systems. CC ID 14960	Monitoring and measurement	Detective
Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228	Monitoring and measurement	Preventive
Define the validity period for technical documentation assessment certificates. CC ID 17227	Monitoring and measurement	Preventive
Ensure protocols are free from injection flaws. CC ID 16401	Monitoring and measurement	Preventive
Approve the vulnerability management program. CC ID 15722	Monitoring and measurement	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Audits and risk management	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Audits and risk management	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Audits and risk management	Detective
Approve the risk acceptance level, as necessary. CC ID 17168	Audits and risk management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Detective
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Technical security	Detective
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027	Physical and environmental protection	Preventive
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Preventive
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599	Human Resources management	Detective
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644 [{be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2:]	Operational management	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Preventive
Determine the cost of the incident when assessing security incidents. CC ID 17188	Operational management	Detective
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182	Operational management	Detective
Determine the duration of the incident when assessing security incidents. CC ID 17181	Operational management	Detective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Corrective
Contain the incident to prevent further loss. CC ID 01751	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Detective
Provide the reasons for adverse decisions made by artificial intelligence systems. CC ID 17253	Operational management	Preventive
Authorize artificial intelligence systems for use under defined conditions. CC ID 17210	Operational management	Preventive
Discard the outputs of the artificial intelligence system when authorizations are denied. CC ID 17225	Operational management	Preventive
Ensure the artificial intelligence system performs at an acceptable level of accuracy, robustness, and cybersecurity. CC ID 15024 [{be reliable} The AI system to be deployed is demonstrated to be valid and reliable. Limitations of the generalizability beyond the conditions under which the technology was developed are documented. MEASURE 2.5: {residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6: Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are b">informed by input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended. Results are documented. Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI Actors to validate whether the system is performing consistently as intended. Results are documented. MEASURE 4.2: Assess the accuracy, quality, reliability, and authenticity of GAI output by comparing it to a set of known ground truth data and by using a variety of evaluation methods (e.g., human oversight and automated evaluation, proven cryptographic techniques, review of content inputs). MP-2.3-001]	Operational management	Preventive
Take into account the nature of the situation when determining the possibility of using 'real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement. CC ID 15020	Operational management	Preventive
Use a remote biometric identification system under defined conditions. CC ID 15016	Operational management	Preventive
Implement measures to enable personnel assigned to human oversight to intervene or interrupt the operation of the artificial intelligence system. CC ID 15093	Operational management	Preventive
Reassess the designation of artificial intelligence systems. CC ID 17230	Operational management	Preventive
Take into account the consequences for the rights and freedoms of persons when using ‘real-time’ remote biometric identification systems for law enforcement. CC ID 14957	Operational management	Preventive
Allow the use of 'real-time' remote biometric identification systems for law enforcement under defined conditions. CC ID 14955	Operational management	Preventive
Refrain from using remote biometric identification systems under defined conditions. CC ID 14953	Operational management	Preventive
Prohibit the use of artificial intelligence systems under defined conditions. CC ID 14951	Operational management	Preventive
Remove dormant data from systems, as necessary. CC ID 13726	Records management	Preventive
Resolve conflicting design and development inputs. CC ID 13703	Systems design, build, and implementation	Corrective
Document the results of the source code analysis. CC ID 14310 [Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by _primary-noun">input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended. Results are documented. Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI Actors to validate whether the system is performing consistently as intended. Results are documented. MEASURE 4.2:]	Systems design, build, and implementation	Detective
Include system performance in the scope of system testing. CC ID 12624	Systems design, build, and implementation	Preventive
Include security controls in the scope of system testing. CC ID 12623	Systems design, build, and implementation	Preventive
Include business logic in the scope of system testing. CC ID 12622	Systems design, build, and implementation	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Preventive
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Corrective
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Retain penetration test results according to internal policy. CC ID 10049	Monitoring and measurement	Preventive
Retain penetration test remediation action records according to internal policy. CC ID 11629	Monitoring and measurement	Preventive
Maintain vulnerability scan reports as organizational records. CC ID 12092	Monitoring and measurement	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Include source code in the asset inventory. CC ID 14858	Operational management	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Preventive
Retain collected evidence for potential future legal actions. CC ID 01235	Operational management	Preventive
Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656	Operational management	Preventive
Archive appropriate records, logs, and database tables. CC ID 06321	Records management	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Operational and Systems Continuity	Corrective
Maintain normal security levels when an emergency occurs. CC ID 06377	Operational and Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Operational and Systems Continuity	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Preventive
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Corrective
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Operational and Systems Continuity	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Operational and Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Operational and Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Operational and Systems Continuity	Corrective
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Establish policies and procedures that address GAI data redundancy, including model weights and other system artifacts. GV-6.2-005]	Operational and Systems Continuity	Preventive
Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384	Operational and Systems Continuity	Preventive
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573	Operational and Systems Continuity	Detective
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Operational and Systems Continuity	Preventive
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765	Operational and Systems Continuity	Preventive
Include consumer protection procedures in the Incident Response program. CC ID 12755	Operational management	Preventive
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [Document GAI risks associated with system value chain to identify over-reliance on third-party data and to identify fallbacks. GV-6.2-001]	Third Party and supply chain oversight	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Operational management	Preventive
Establish, implement, and maintain an artificial intelligence system. CC ID 14943 [The specific tasks and methods used to implement the tasks that the AI system will support are y-verb">erb">defined (e.g., classifiers, generative models, recommenders). The specific tasks and methods used to implement the tasks that the AI system will support are defined (e.g., classifiers, generative models, recommenders). MAP 2.1: Measurable activities for continual improvements are integrated into AI system n">updates and include regular engagement with interested parties, including relevant AI actors. Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI Actors. MANAGE 4.2: Devise a plan to halt development or deployment of a GAI system that poses unacceptable negative risk. GV-1.3-007]	Operational management	Preventive
Include mitigation measures to address biased output during the development of artificial intelligence systems. CC ID 15047 [Establish policies and mechanisms to prevent GAI systems from generating CSAM, NCII or content that violates the law. GV-1.4-001]	Operational management	Corrective
Implement an acceptable level of accuracy, robustness, and cybersecurity in the development of artificial intelligence systems. CC ID 15022 [The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices. The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices. GOVERN 1.2:]	Operational management	Preventive
Develop artificial intelligence systems involving the training of models with data sets that meet the quality criteria. CC ID 14996 [The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. MEASURE 2.9: Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches. GV-1.2-001]	Operational management	Preventive
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Allocate time and resources for outreach, feedback, and recourse processes in GAI system development. GV-5.1-001]	Systems design, build, and implementation	Preventive
Include information security throughout the system development life cycle. CC ID 12042	Systems design, build, and implementation	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Preventive
Implement manual override capability into automated systems. CC ID 14921	Systems design, build, and implementation	Preventive
Redesign business activities to support the system implementation. CC ID 01067	Systems design, build, and implementation	Corrective
Search for metadata during e-discovery. CC ID 01073	Systems design, build, and implementation	Preventive
Establish, implement, and maintain security design principles. CC ID 14718	Systems design, build, and implementation	Preventive
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems design, build, and implementation	Preventive
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Systems design, build, and implementation	Preventive
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems design, build, and implementation	Preventive
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems design, build, and implementation	Preventive
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems design, build, and implementation	Preventive
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems design, build, and implementation	Preventive
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems design, build, and implementation	Preventive
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems design, build, and implementation	Preventive
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Systems design, build, and implementation	Preventive
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems design, build, and implementation	Preventive
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems design, build, and implementation	Preventive
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems design, build, and implementation	Preventive
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems design, build, and implementation	Preventive
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems design, build, and implementation	Preventive
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems design, build, and implementation	Preventive
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems design, build, and implementation	Preventive
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems design, build, and implementation	Preventive
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems design, build, and implementation	Preventive
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems design, build, and implementation	Preventive
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems design, build, and implementation	Preventive
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems design, build, and implementation	Preventive
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems design, build, and implementation	Preventive
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems design, build, and implementation	Preventive
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems design, build, and implementation	Preventive
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems design, build, and implementation	Preventive
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems design, build, and implementation	Preventive
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems design, build, and implementation	Preventive
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems design, build, and implementation	Preventive
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems design, build, and implementation	Preventive
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems design, build, and implementation	Preventive
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems design, build, and implementation	Preventive
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems design, build, and implementation	Preventive
Establish and maintain System Development Life Cycle documentation. CC ID 12079 [Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. GOVERN 4.1:]	Systems design, build, and implementation	Preventive
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922	Systems design, build, and implementation	Preventive
Design and develop built-in redundancies, as necessary. CC ID 13064	Systems design, build, and implementation	Preventive
Design resource-isolation mechanisms into the infrastructure of Software as a Service. CC ID 12348	Systems design, build, and implementation	Preventive
Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347	Systems design, build, and implementation	Preventive
Evaluate the criticality and sensitivity of information being accessed when designing systems. CC ID 07076	Systems design, build, and implementation	Preventive
Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects. CC ID 01045 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2: Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Systems design, build, and implementation	Detective
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems design, build, and implementation	Preventive
Develop new products based on best practices. CC ID 01095	Systems design, build, and implementation	Preventive
Include threat models in the system design specification. CC ID 06829 [Engage in threat modeling to anticipate potential risks from GAI systems. GV-3.2-005]	Systems design, build, and implementation	Preventive
Perform source code analysis at each milestone or quality gate. CC ID 06832	Systems design, build, and implementation	Corrective
Control the test data used in the development environment. CC ID 12013	Systems design, build, and implementation	Preventive
Select the test data carefully. CC ID 12011	Systems design, build, and implementation	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Conduct Red Team exercises, as necessary. CC ID 12131	Monitoring and measurement	Detective
Test security systems and associated security procedures, as necessary. CC ID 11901	Monitoring and measurement	Detective
Scan wireless networks for rogue devices. CC ID 11623	Monitoring and measurement	Detective
Implement incident response procedures when rogue devices are discovered. CC ID 11880	Monitoring and measurement	Corrective
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Monitoring and measurement	Detective
Perform internal penetration tests, as necessary. CC ID 12471	Monitoring and measurement	Detective
Perform external penetration tests, as necessary. CC ID 12470	Monitoring and measurement	Detective
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Monitoring and measurement	Detective
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Monitoring and measurement	Detective
Prevent adversaries from disabling or compromising security controls. CC ID 17057	Monitoring and measurement	Preventive
Estimate the maximum bandwidth of any covert channels. CC ID 10653	Monitoring and measurement	Detective
Reduce the maximum bandwidth of covert channels. CC ID 10655	Monitoring and measurement	Corrective
Perform vulnerability scans, as necessary. CC ID 11637	Monitoring and measurement	Detective
Identify and document security vulnerabilities. CC ID 11857	Monitoring and measurement	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Monitoring and measurement	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Monitoring and measurement	Detective
Correlate vulnerability scan reports from the various systems. CC ID 10636	Monitoring and measurement	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Monitoring and measurement	Detective
Implement scanning tools, as necessary. CC ID 14282	Monitoring and measurement	Detective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Monitoring and measurement	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Monitoring and measurement	Detective
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Monitoring and measurement	Detective
Perform vulnerability assessments, as necessary. CC ID 11828	Monitoring and measurement	Corrective
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Monitoring and measurement	Detective
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Monitoring and measurement	Preventive
Test the system for insecure cryptographic storage. CC ID 11635	Monitoring and measurement	Detective
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639	Monitoring and measurement	Corrective
Correct or mitigate vulnerabilities. CC ID 12497	Monitoring and measurement	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Monitoring and measurement	Corrective
Establish, implement, and maintain a network activity baseline. CC ID 13188	Monitoring and measurement	Detective
Protect against misusing automated audit tools. CC ID 04547	Monitoring and measurement	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Audits and risk management	Preventive
Control access rights to organizational assets. CC ID 00004	Technical security	Preventive
Identify and control all network access controls. CC ID 00529	Technical security	Preventive
Manage all external network connections. CC ID 11842 [Observe and analyze how the GAI system interacts with external networks, and identify any potential for negative externalities, particularly where content provenance might be compromised. MP-2.2-002]	Technical security	Preventive
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116	Technical security	Preventive
Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050	Technical security	Preventive
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical security	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Operational and Systems Continuity	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Detective
Categorize the incident following an incident response. CC ID 13208	Operational management	Preventive
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Corrective
Refrain from accessing compromised systems. CC ID 01752	Operational management	Corrective
Isolate compromised systems from the network. CC ID 01753	Operational management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Corrective
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Corrective
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Corrective
Establish, implement, and maintain rate limits for connection attempts. CC ID 16986	Operational management	Preventive
Compile databases to protect their structural intellectual property. CC ID 07044	Systems design, build, and implementation	Preventive
Include performance criteria in the system requirements specification. CC ID 11540	Systems design, build, and implementation	Preventive
Include accommodating increases in capacity in the system requirements specification. CC ID 11562	Systems design, build, and implementation	Preventive
Include product upgrade methodologies in the system requirements specification. CC ID 11563	Systems design, build, and implementation	Preventive
Include the ability of products to verify their own quality in the system requirements specification. CC ID 11564 [{multiple sources} Deploy and document fact-checking techniques to verify the accuracy and veracity of information generated by GAI systems, especially when the information comes from multiple (or unknown) sources. MP-2.3-003]	Systems design, build, and implementation	Preventive
Protect test data in the development environment. CC ID 12014	Systems design, build, and implementation	Preventive
Establish, implement, and maintain anti-counterfeit measures. CC ID 11522	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain electronic marketplace terms of service guidelines. CC ID 11523 [Establish terms of use and terms of service for GAI systems. GV-4.2-001]	Third Party and supply chain oversight	Preventive
Include the prohibition of counterfeiting in the electronic marketplace terms of service guidelines. CC ID 11524	Third Party and supply chain oversight	Preventive
Enforce the electronic marketplace terms of service guidelines. CC ID 11525	Third Party and supply chain oversight	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Monitoring and measurement	Preventive
Test compliance controls for proper functionality. CC ID 00660	Monitoring and measurement	Detective
Establish, implement, and maintain a system security plan. CC ID 01922	Monitoring and measurement	Preventive
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Detective
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Detective
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Detective
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Preventive
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Monitoring and measurement	Detective
Enable security controls which were disabled to conduct testing. CC ID 17031	Monitoring and measurement	Preventive
Disable dedicated accounts after testing is complete. CC ID 17033	Monitoring and measurement	Preventive
Protect systems and data during testing in the production environment. CC ID 17198	Monitoring and measurement	Preventive
Define the criteria to conduct testing in the production environment. CC ID 17197	Monitoring and measurement	Preventive
Suspend testing in a production environment, as necessary. CC ID 17231	Monitoring and measurement	Preventive
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Monitoring and measurement	Detective
Include test requirements for the use of production data in the testing program. CC ID 17201	Monitoring and measurement	Preventive
Include test requirements for the use of human subjects in the testing program. CC ID 16222 [Evaluations involving human subjects meet ss="term_primary-noun">applicable requirements (including human subject protection) and are representative of the relevant population. Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population. MEASURE 2.2: Evaluations involving human subjects meet applicable requirements (including human subject protection) and _primary-verb">are representative of the relevant population. Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population. MEASURE 2.2:]	Monitoring and measurement	Preventive
Test the in scope system in accordance with its intended purpose. CC ID 14961	Monitoring and measurement	Preventive
Perform network testing in accordance with organizational standards. CC ID 16448	Monitoring and measurement	Preventive
Test user accounts in accordance with organizational standards. CC ID 16421	Monitoring and measurement	Preventive
Scan organizational networks for rogue devices. CC ID 00536	Monitoring and measurement	Detective
Scan the network for wireless access points. CC ID 00370	Monitoring and measurement	Detective
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Monitoring and measurement	Detective
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Monitoring and measurement	Preventive
Perform conformity assessments, as necessary. CC ID 15095	Monitoring and measurement	Detective
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Monitoring and measurement	Preventive
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Monitoring and measurement	Detective
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Monitoring and measurement	Corrective
Perform penetration tests, as necessary. CC ID 00655	Monitoring and measurement	Detective
Include coverage of all in scope systems during penetration testing. CC ID 11957	Monitoring and measurement	Detective
Test the system for broken access controls. CC ID 01319	Monitoring and measurement	Detective
Test the system for broken authentication and session management. CC ID 01320	Monitoring and measurement	Detective
Test the system for insecure communications. CC ID 00535	Monitoring and measurement	Detective
Test the system for cross-site scripting attacks. CC ID 01321	Monitoring and measurement	Detective
Test the system for buffer overflows. CC ID 01322	Monitoring and measurement	Detective
Test the system for injection flaws. CC ID 01323	Monitoring and measurement	Detective
Test the system for Denial of Service. CC ID 01326	Monitoring and measurement	Detective
Test the system for insecure configuration management. CC ID 01327	Monitoring and measurement	Detective
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Monitoring and measurement	Detective
Test the system for cross-site request forgery. CC ID 06296	Monitoring and measurement	Detective
Repeat penetration testing, as necessary. CC ID 06860	Monitoring and measurement	Detective
Test the system for covert channels. CC ID 10652	Monitoring and measurement	Detective
Test systems to determine which covert channels might be exploited. CC ID 10654	Monitoring and measurement	Detective
Conduct scanning activities in a test environment. CC ID 17036	Monitoring and measurement	Preventive
Repeat vulnerability scanning, as necessary. CC ID 11646	Monitoring and measurement	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Monitoring and measurement	Detective
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Monitoring and measurement	Preventive
Test the system for unvalidated input. CC ID 01318	Monitoring and measurement	Detective
Test the system for proper error handling. CC ID 01324	Monitoring and measurement	Detective
Test the system for insecure data storage. CC ID 01325	Monitoring and measurement	Detective
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Monitoring and measurement	Detective
Perform self-tests on cryptographic modules within the system. CC ID 06537	Monitoring and measurement	Detective
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Monitoring and measurement	Detective
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Monitoring and measurement	Detective
Document and maintain test results. CC ID 17028	Monitoring and measurement	Preventive
Evaluate the measurement process used for metrics. CC ID 06920 [Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and n style="background-color:#B7D8ED;" class="term_primary-verb">documented. Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and documented. MEASURE 2.13:]	Monitoring and measurement	Detective
Perform risk assessments for all target environments, as necessary. CC ID 06452 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6: {alert system} {no longer be used} Re-evaluate risks when adapting GAI models to new domains. Additionally, establish warning systems to determine if a GAI system is being used in a new domain where previous assumptions (relating to context of use or mapped risks such as security, and safety) may no longer hold. MP-4.1-008]	Audits and risk management	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Operational and Systems Continuity	Detective
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Detective
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Detective
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390	Operational and Systems Continuity	Detective
Conduct tests and evaluate training. CC ID 06672 [{be appropriate} Establish processes to verify the AI Actors conducting GAI incident response tasks demonstrate and maintain the appropriate skills and training. GV-2.1-003]	Human Resources management	Detective
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Corrective
Test incident monitoring procedures. CC ID 13194	Operational management	Detective
Open a priority incident request after a security breach is detected. CC ID 04838	Operational management	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Operational management	Corrective
Establish trust between the incident response team and the end user community during an incident. CC ID 01217	Operational management	Detective
Test the operation of the digital forensic equipment prior to use. CC ID 08694	Operational management	Detective
Test the incident response procedures. CC ID 01216	Operational management	Detective
Test systems to ensure they conform to configuration baselines. CC ID 13062 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for color:#F0BBBC;" class="term_primary-noun">conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	System hardening through configuration management	Detective
Maintain continued integrity for all stored data and stored records. CC ID 00969	Records management	Detective
Restrict system architects from being assigned as Administrators. CC ID 01064	Systems design, build, and implementation	Detective
Restrict the development team from having access to the production environment. CC ID 01066	Systems design, build, and implementation	Detective
Compare system design requirements against system design requests. CC ID 06619	Systems design, build, and implementation	Detective
Determine if commercial off the shelf products meet the system design requirements. CC ID 06926	Systems design, build, and implementation	Detective
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043	Systems design, build, and implementation	Detective
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Systems design, build, and implementation	Detective
Restrict production data from being used in the test environment. CC ID 01103	Systems design, build, and implementation	Detective
Test all software changes before promoting the system to a production environment. CC ID 01106	Systems design, build, and implementation	Detective
Test security functionality during the development process. CC ID 12015	Systems design, build, and implementation	Preventive
Review and test custom code to identify potential coding vulnerabilities. CC ID 01316	Systems design, build, and implementation	Detective
Review and test source code. CC ID 01086	Systems design, build, and implementation	Detective
Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292	Systems design, build, and implementation	Corrective
Approve all custom code test results before code is released. CC ID 06293	Systems design, build, and implementation	Detective
Perform Quality Management on all newly developed or modified software. CC ID 11798	Systems design, build, and implementation	Detective
Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Policies and procedures are in place that address AI risks associated with ry-noun">third-party entities, including risks of infringement of a third-party's intellectual property or other rights. Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third-party's intellectual property or other rights. GOVERN 6.1:]	Acquisition or sale of facilities, technology, and services	Detective
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Detective
Perform risk assessments of third parties, as necessary. CC ID 06454 [Implement a use-cased based supplier risk assessment framework to evaluate and monitor third-party entities' performance and adherence to content provenance standards and technologies to detect anomalies and unauthorized changes; services acquisition and value chain risk management; and legal compliance. GV-6.1-005]	Third Party and supply chain oversight	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Submit applications for professional certification. CC ID 16192	Human Resources management	Preventive
Develop or acquire content to update the training plans. CC ID 12867 [Adapt existing training programs to include modules on digital content transparency. MP-3.4-002]	Human Resources management	Preventive
Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101	Human Resources management	Preventive
Conduct incident response training. CC ID 11889	Operational management	Preventive

Common Controls and
mandates by Classification 121 Mandated Controls - bold
112 Implied Controls - italic 1463 Implementation

Number of Controls

1696 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Process or Activity
Implement incident response procedures when rogue devices are discovered. CC ID 11880	Monitoring and measurement	Technical Security
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428	Monitoring and measurement	Monitor and Evaluate Occurrences
Isolate rogue devices after a rogue device has been detected. CC ID 07061	Monitoring and measurement	Configuration
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Monitoring and measurement	Testing
Reduce the maximum bandwidth of covert channels. CC ID 10655	Monitoring and measurement	Technical Security
Update the vulnerability scanners' vulnerability list. CC ID 10634	Monitoring and measurement	Configuration
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Monitoring and measurement	Behavior
Perform vulnerability assessments, as necessary. CC ID 11828	Monitoring and measurement	Technical Security
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639	Monitoring and measurement	Technical Security
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Monitoring and measurement	Configuration
Recommend mitigation techniques based on penetration test results. CC ID 04881	Monitoring and measurement	Establish/Maintain Documentation
Correct or mitigate vulnerabilities. CC ID 12497	Monitoring and measurement	Technical Security
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Monitoring and measurement	Technical Security
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Operational and Systems Continuity	Systems Continuity
Report changes in the continuity plan to senior management. CC ID 12757	Operational and Systems Continuity	Communicate
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain the continuity procedures. CC ID 14236	Operational and Systems Continuity	Establish/Maintain Documentation
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Operational and Systems Continuity	Systems Continuity
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Establish/Maintain Documentation
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Monitor and Evaluate Occurrences
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Monitor and Evaluate Occurrences
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Monitor and Evaluate Occurrences
Escalate incidents, as necessary. CC ID 14861	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Process or Activity
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Behavior
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Process or Activity
Contain the incident to prevent further loss. CC ID 01751	Operational management	Process or Activity
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Technical Security
Refrain from accessing compromised systems. CC ID 01752	Operational management	Technical Security
Isolate compromised systems from the network. CC ID 01753	Operational management	Technical Security
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Log Management
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Technical Security
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Testing
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Monitor and Evaluate Occurrences
Share incident information with interested personnel and affected parties. CC ID 01212 [Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. MANAGE 4.3:]	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Behavior
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Behavior
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Behavior
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Behavior
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Behavior
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Behavior
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Establish/Maintain Documentation
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Technical Security
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Business Processes
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Human Resources Management
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Technical Security
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Establish/Maintain Documentation
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Log Management
Open a priority incident request after a security breach is detected. CC ID 04838	Operational management	Testing
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Operational management	Testing
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Operational management	Communicate
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Technical Security
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Technical Security
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Technical Security
Conduct forensic investigations in the event of a security compromise. CC ID 11951	Operational management	Investigate
Collect evidence from the incident scene. CC ID 02236	Operational management	Business Processes
Approve back-out plans, as necessary. CC ID 13627	Operational management	Establish/Maintain Documentation
Include mitigation measures to address biased output during the development of artificial intelligence systems. CC ID 15047 [Establish policies and mechanisms to prevent GAI systems from generating CSAM, NCII or content that violates the law. GV-1.4-001]	Operational management	Systems Design, Build, and Implementation
Withdraw authorizations that are unjustified. CC ID 15035	Operational management	Business Processes
Redesign business activities to support the system implementation. CC ID 01067	Systems design, build, and implementation	Systems Design, Build, and Implementation
Resolve conflicting design and development inputs. CC ID 13703	Systems design, build, and implementation	Process or Activity
Perform source code analysis at each milestone or quality gate. CC ID 06832	Systems design, build, and implementation	Systems Design, Build, and Implementation
Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292	Systems design, build, and implementation	Testing
Process product return requests. CC ID 11598	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Monitor and Evaluate Occurrences
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Process or Activity

Detective

390

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Monitor and evaluate system performance. CC ID 00651 [Pre-trained models which are used for development are erm_primary-verb">monitored as part of AI system regular monitoring and maintenance. Pre-trained models which are used for development are monitored as part of AI system regular monitoring and maintenance. MANAGE 3.2:]	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor and evaluate environmental threats. CC ID 13481	Monitoring and measurement	Monitor and Evaluate Occurrences
Test compliance controls for proper functionality. CC ID 00660	Monitoring and measurement	Testing
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Testing
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Testing
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Testing
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Monitoring and measurement	Testing
Monitor devices continuously for conformance with production specifications. CC ID 06201	Monitoring and measurement	Monitor and Evaluate Occurrences
Conduct Red Team exercises, as necessary. CC ID 12131	Monitoring and measurement	Technical Security
Test security systems and associated security procedures, as necessary. CC ID 11901	Monitoring and measurement	Technical Security
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Monitoring and measurement	Testing
Identify risk management measures when testing in scope systems. CC ID 14960	Monitoring and measurement	Process or Activity
Scan organizational networks for rogue devices. CC ID 00536	Monitoring and measurement	Testing
Scan the network for wireless access points. CC ID 00370	Monitoring and measurement	Testing
Scan wireless networks for rogue devices. CC ID 11623	Monitoring and measurement	Technical Security
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Monitoring and measurement	Testing
Perform conformity assessments, as necessary. CC ID 15095	Monitoring and measurement	Testing
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Monitoring and measurement	Technical Security
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Monitoring and measurement	Establish/Maintain Documentation
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Monitoring and measurement	Testing
Perform penetration tests, as necessary. CC ID 00655	Monitoring and measurement	Testing
Perform internal penetration tests, as necessary. CC ID 12471	Monitoring and measurement	Technical Security
Perform external penetration tests, as necessary. CC ID 12470	Monitoring and measurement	Technical Security
Include coverage of all in scope systems during penetration testing. CC ID 11957	Monitoring and measurement	Testing
Test the system for broken access controls. CC ID 01319	Monitoring and measurement	Testing
Test the system for broken authentication and session management. CC ID 01320	Monitoring and measurement	Testing
Test the system for insecure communications. CC ID 00535	Monitoring and measurement	Testing
Test the system for cross-site scripting attacks. CC ID 01321	Monitoring and measurement	Testing
Test the system for buffer overflows. CC ID 01322	Monitoring and measurement	Testing
Test the system for injection flaws. CC ID 01323	Monitoring and measurement	Testing
Test the system for Denial of Service. CC ID 01326	Monitoring and measurement	Testing
Test the system for insecure configuration management. CC ID 01327	Monitoring and measurement	Testing
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Monitoring and measurement	Testing
Test the system for cross-site request forgery. CC ID 06296	Monitoring and measurement	Testing
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Monitoring and measurement	Technical Security
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Monitoring and measurement	Technical Security
Verify segmentation controls are operational and effective. CC ID 12545	Monitoring and measurement	Audits and Risk Management
Repeat penetration testing, as necessary. CC ID 06860	Monitoring and measurement	Testing
Test the system for covert channels. CC ID 10652	Monitoring and measurement	Testing
Estimate the maximum bandwidth of any covert channels. CC ID 10653	Monitoring and measurement	Technical Security
Test systems to determine which covert channels might be exploited. CC ID 10654	Monitoring and measurement	Testing
Perform vulnerability scans, as necessary. CC ID 11637	Monitoring and measurement	Technical Security
Repeat vulnerability scanning, as necessary. CC ID 11646	Monitoring and measurement	Testing
Identify and document security vulnerabilities. CC ID 11857	Monitoring and measurement	Technical Security
Rank discovered vulnerabilities. CC ID 11940	Monitoring and measurement	Investigate
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Monitoring and measurement	Technical Security
Correlate vulnerability scan reports from the various systems. CC ID 10636	Monitoring and measurement	Technical Security
Perform internal vulnerability scans, as necessary. CC ID 00656	Monitoring and measurement	Testing
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Monitoring and measurement	Technical Security
Implement scanning tools, as necessary. CC ID 14282	Monitoring and measurement	Technical Security
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Monitoring and measurement	Technical Security
Perform external vulnerability scans, as necessary. CC ID 11624	Monitoring and measurement	Technical Security
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Monitoring and measurement	Technical Security
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Monitoring and measurement	Technical Security
Test the system for unvalidated input. CC ID 01318	Monitoring and measurement	Testing
Test the system for proper error handling. CC ID 01324	Monitoring and measurement	Testing
Test the system for insecure data storage. CC ID 01325	Monitoring and measurement	Testing
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Monitoring and measurement	Testing
Test the system for insecure cryptographic storage. CC ID 11635	Monitoring and measurement	Technical Security
Perform self-tests on cryptographic modules within the system. CC ID 06537	Monitoring and measurement	Testing
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Monitoring and measurement	Testing
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Monitoring and measurement	Testing
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Monitoring and measurement	Configuration
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of unique active user identifiers. CC ID 02074	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of users with access to shared accounts. CC ID 04573	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Monitoring and measurement	Log Management
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Monitoring and measurement	Log Management
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Monitoring and measurement	Log Management
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with all approved patches installed. CC ID 02113	Monitoring and measurement	Actionable Reports or Measurements
Report on the mean time from patch availability to patch installation. CC ID 02114	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a network activity baseline. CC ID 13188	Monitoring and measurement	Technical Security
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Monitoring and measurement	Actionable Reports or Measurements
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Monitoring and measurement	Actionable Reports or Measurements
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Monitoring and measurement	Actionable Reports or Measurements
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Monitoring and measurement	Actionable Reports or Measurements
Evaluate the measurement process used for metrics. CC ID 06920 [Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and n style="background-color:#B7D8ED;" class="term_primary-verb">documented. Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and documented. MEASURE 2.13:]	Monitoring and measurement	Testing
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Audits and risk management	Investigate
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Audits and Risk Management
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Establish/Maintain Documentation
Update the risk assessment upon changes to the risk profile. CC ID 11627	Audits and risk management	Establish/Maintain Documentation
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Audits and Risk Management
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and risk management	Audits and Risk Management
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Investigate
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Audits and risk management	Process or Activity
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. MAP 5.1:]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Actionable Reports or Measurements
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Audits and Risk Management
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Establish/Maintain Documentation
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Process or Activity
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Process or Activity
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Audits and Risk Management
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Audits and Risk Management
Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952	Audits and risk management	Actionable Reports or Measurements
Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101	Audits and risk management	Actionable Reports or Measurements
Include revenues in the disclosure report. CC ID 16099	Audits and risk management	Actionable Reports or Measurements
Include the economic value distributed in the disclosure report. CC ID 16086	Audits and risk management	Actionable Reports or Measurements
Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092	Audits and risk management	Actionable Reports or Measurements
Include total monetary value of payments to governments in the disclosure report. CC ID 16091	Audits and risk management	Actionable Reports or Measurements
Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090	Audits and risk management	Actionable Reports or Measurements
Include total monetary value of community investments in the disclosure report. CC ID 16089	Audits and risk management	Actionable Reports or Measurements
Include operating costs in the disclosure report. CC ID 16088	Audits and risk management	Actionable Reports or Measurements
Include economic value retained in the disclosure report. CC ID 16094	Audits and risk management	Actionable Reports or Measurements
Include the direct economic value generated and distributed in the disclosure report. CC ID 16085	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095	Audits and risk management	Actionable Reports or Measurements
Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048	Audits and risk management	Actionable Reports or Measurements
Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046	Audits and risk management	Actionable Reports or Measurements
Include revenues from third party sales in the disclosure report. CC ID 16045	Audits and risk management	Actionable Reports or Measurements
Include the profit and loss before tax in the disclosure report. CC ID 16044	Audits and risk management	Actionable Reports or Measurements
Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073	Audits and risk management	Actionable Reports or Measurements
Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072	Audits and risk management	Actionable Reports or Measurements
Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071	Audits and risk management	Actionable Reports or Measurements
Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070	Audits and risk management	Actionable Reports or Measurements
Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069	Audits and risk management	Actionable Reports or Measurements
Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068	Audits and risk management	Actionable Reports or Measurements
Include the total number of incidents of corruption in the disclosure report. CC ID 16066	Audits and risk management	Actionable Reports or Measurements
Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063	Audits and risk management	Actionable Reports or Measurements
Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062	Audits and risk management	Actionable Reports or Measurements
Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038	Audits and risk management	Actionable Reports or Measurements
Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032	Audits and risk management	Actionable Reports or Measurements
Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023	Audits and risk management	Actionable Reports or Measurements
Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022	Audits and risk management	Actionable Reports or Measurements
Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340	Audits and risk management	Actionable Reports or Measurements
Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083	Audits and risk management	Actionable Reports or Measurements
Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081	Audits and risk management	Actionable Reports or Measurements
Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079	Audits and risk management	Actionable Reports or Measurements
Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013	Audits and risk management	Actionable Reports or Measurements
Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009	Audits and risk management	Actionable Reports or Measurements
Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146	Audits and risk management	Actionable Reports or Measurements
Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008	Audits and risk management	Actionable Reports or Measurements
Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007	Audits and risk management	Actionable Reports or Measurements
Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006	Audits and risk management	Actionable Reports or Measurements
Include the total amount of significant air emissions in the disclosure report. CC ID 16005	Audits and risk management	Actionable Reports or Measurements
Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084	Audits and risk management	Actionable Reports or Measurements
Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082	Audits and risk management	Actionable Reports or Measurements
Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080	Audits and risk management	Actionable Reports or Measurements
Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078	Audits and risk management	Actionable Reports or Measurements
Include the total emissions of particulate matter in the disclosure report. CC ID 16077	Audits and risk management	Actionable Reports or Measurements
Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076	Audits and risk management	Actionable Reports or Measurements
Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004	Audits and risk management	Actionable Reports or Measurements
Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999	Audits and risk management	Actionable Reports or Measurements
Include the total number of legal actions against the organization in the disclosure report. CC ID 16003	Audits and risk management	Actionable Reports or Measurements
Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950	Audits and risk management	Actionable Reports or Measurements
Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163	Audits and risk management	Actionable Reports or Measurements
Include the total volume of significant spills in the disclosure report. CC ID 16010	Audits and risk management	Actionable Reports or Measurements
Include the total number of significant spills in the disclosure report. CC ID 15965	Audits and risk management	Actionable Reports or Measurements
Include the performance qualification score of laptops in the disclosure report. CC ID 16176	Audits and risk management	Actionable Reports or Measurements
Include the battery life score of laptops in the disclosure report. CC ID 16175	Audits and risk management	Actionable Reports or Measurements
Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174	Audits and risk management	Actionable Reports or Measurements
Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172	Audits and risk management	Actionable Reports or Measurements
Include the energy efficiency of server processors in the disclosure report. CC ID 16170	Audits and risk management	Actionable Reports or Measurements
Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162	Audits and risk management	Actionable Reports or Measurements
Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159	Audits and risk management	Actionable Reports or Measurements
Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160	Audits and risk management	Actionable Reports or Measurements
Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157	Audits and risk management	Actionable Reports or Measurements
Include the average actual sustained download speed in the disclosure report. CC ID 15568	Audits and risk management	Actionable Reports or Measurements
Include the average advertised download speed in the disclosure report. CC ID 15567	Audits and risk management	Actionable Reports or Measurements
Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949	Audits and risk management	Actionable Reports or Measurements
Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948	Audits and risk management	Actionable Reports or Measurements
Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228	Audits and risk management	Actionable Reports or Measurements
Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217	Audits and risk management	Actionable Reports or Measurements
Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108	Audits and risk management	Actionable Reports or Measurements
Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103	Audits and risk management	Actionable Reports or Measurements
Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002	Audits and risk management	Actionable Reports or Measurements
Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001	Audits and risk management	Actionable Reports or Measurements
Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931	Audits and risk management	Actionable Reports or Measurements
Include the rate of new employee hires in the disclosure report. CC ID 15928	Audits and risk management	Actionable Reports or Measurements
Include the total number of employees who left the organization in the disclosure report. CC ID 16127	Audits and risk management	Actionable Reports or Measurements
Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214	Audits and risk management	Actionable Reports or Measurements
Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960	Audits and risk management	Actionable Reports or Measurements
Include the total number of employees that took parental leave in the disclosure report. CC ID 15955	Audits and risk management	Actionable Reports or Measurements
Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946	Audits and risk management	Actionable Reports or Measurements
Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958	Audits and risk management	Actionable Reports or Measurements
Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962	Audits and risk management	Actionable Reports or Measurements
Include the user average interruption duration in the disclosure report. CC ID 15558	Audits and risk management	Actionable Reports or Measurements
Include the system average interruption frequency in the disclosure report. CC ID 15565	Audits and risk management	Actionable Reports or Measurements
Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500	Audits and risk management	Actionable Reports or Measurements
Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560	Audits and risk management	Actionable Reports or Measurements
Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951	Audits and risk management	Actionable Reports or Measurements
Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216	Audits and risk management	Actionable Reports or Measurements
Include the power usage effectiveness in the disclosure report. CC ID 15552	Audits and risk management	Actionable Reports or Measurements
Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549	Audits and risk management	Actionable Reports or Measurements
Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541	Audits and risk management	Actionable Reports or Measurements
Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563	Audits and risk management	Actionable Reports or Measurements
Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574	Audits and risk management	Actionable Reports or Measurements
Include the weight of recovered materials in the disclosure report. CC ID 16203	Audits and risk management	Actionable Reports or Measurements
Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578	Audits and risk management	Actionable Reports or Measurements
Include the rate of work-related injuries in the disclosure report. CC ID 15944	Audits and risk management	Actionable Reports or Measurements
Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943	Audits and risk management	Actionable Reports or Measurements
Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207	Audits and risk management	Actionable Reports or Measurements
Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954	Audits and risk management	Actionable Reports or Measurements
Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942	Audits and risk management	Actionable Reports or Measurements
Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953	Audits and risk management	Actionable Reports or Measurements
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Technical security	Process or Activity
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Technical security	Establish/Maintain Documentation
Monitor and evaluate business continuity management system performance. CC ID 12410	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Establish, implement, and maintain the organization's call tree. CC ID 01167	Operational and Systems Continuity	Testing
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Investigate
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Testing
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Testing
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Establish/Maintain Documentation
Determine which data elements to back up. CC ID 13483	Operational and Systems Continuity	Data and Information Management
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390	Operational and Systems Continuity	Testing
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573	Operational and Systems Continuity	Systems Continuity
Document all training in a training record. CC ID 01423	Human Resources management	Establish/Maintain Documentation
Conduct tests and evaluate training. CC ID 06672 [{be appropriate} Establish processes to verify the AI Actors conducting GAI incident response tasks demonstrate and maintain the appropriate skills and training. GV-2.1-003]	Human Resources management	Testing
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599	Human Resources management	Process or Activity
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Establish/Maintain Documentation
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Technical Security
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Business Processes
Determine the cost of the incident when assessing security incidents. CC ID 17188	Operational management	Process or Activity
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182	Operational management	Process or Activity
Determine the duration of the incident when assessing security incidents. CC ID 17181	Operational management	Process or Activity
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Monitor and Evaluate Occurrences
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Monitor and Evaluate Occurrences
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Investigate
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Establish/Maintain Documentation
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Investigate
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Establish/Maintain Documentation
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Establish/Maintain Documentation
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Investigate
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Behavior
Avoid false positive incident response notifications. CC ID 04732	Operational management	Behavior
Include information required by law in incident response notifications. CC ID 00802	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Monitor and Evaluate Occurrences
Test incident monitoring procedures. CC ID 13194	Operational management	Testing
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Process or Activity
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Investigate
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Investigate
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Investigate
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Investigate
Analyze and respond to security alerts. CC ID 12504	Operational management	Business Processes
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206	Operational management	Establish/Maintain Documentation
Establish trust between the incident response team and the end user community during an incident. CC ID 01217	Operational management	Testing
Protect devices containing digital forensic evidence during transport. CC ID 08687	Operational management	Investigate
Protect devices containing digital forensic evidence in sealed containers. CC ID 08685	Operational management	Investigate
Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686	Operational management	Establish/Maintain Documentation
Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343	Operational management	Communicate
Prepare digital forensic equipment. CC ID 08688	Operational management	Investigate
Use digital forensic equipment suitable to the circumstances. CC ID 08690	Operational management	Investigate
Provide relevant user manuals for digital forensic equipment during use. CC ID 08691	Operational management	Investigate
Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693	Operational management	Establish/Maintain Documentation
Test the operation of the digital forensic equipment prior to use. CC ID 08694	Operational management	Testing
Maintain digital forensic equipment for proper performance. CC ID 08689	Operational management	Investigate
Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679	Operational management	Establish/Maintain Documentation
Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676	Operational management	Establish/Maintain Documentation
Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680	Operational management	Establish/Maintain Documentation
Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695	Operational management	Establish/Maintain Documentation
Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696	Operational management	Establish/Maintain Documentation
Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671	Operational management	Investigate
Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672	Operational management	Investigate
Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675	Operational management	Investigate
Secure devices containing digital forensic evidence. CC ID 08681	Operational management	Investigate
Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692	Operational management	Investigate
Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684	Operational management	Investigate
Create a system image of the device before collecting digital forensic evidence. CC ID 08673	Operational management	Investigate
Shut down stand alone devices containing digital forensic evidence. CC ID 08682	Operational management	Investigate
Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697	Operational management	Investigate
Place evidence tape over devices containing digital forensic evidence. CC ID 08683	Operational management	Investigate
Test the incident response procedures. CC ID 01216	Operational management	Testing
Use proactive performance management. CC ID 00937	Operational management	Business Processes
Utilize resource availability management controls. CC ID 00940	Operational management	Business Processes
Assess the trustworthiness of artificial intelligence systems. CC ID 16319	Operational management	Business Processes
Ensure the transport conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15031	Operational management	Business Processes
Ensure the storage conditions for artificial intelligence systems refrain from compromising compliance. CC ID 15030	Operational management	Physical and Environmental Protection
Test systems to ensure they conform to configuration baselines. CC ID 13062 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for color:#F0BBBC;" class="term_primary-noun">conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	System hardening through configuration management	Testing
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a data retention program. CC ID 00906 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Records management	Establish/Maintain Documentation
Maintain continued integrity for all stored data and stored records. CC ID 00969	Records management	Testing
Establish, implement, and maintain data accuracy controls. CC ID 00921 [Establish known assumptions and practices for determining data origin and content lineage, for documentation and evaluation purposes. MP-2.1-001]	Records management	Monitor and Evaluate Occurrences
Restrict system architects from being assigned as Administrators. CC ID 01064	Systems design, build, and implementation	Testing
Restrict the development team from having access to the production environment. CC ID 01066	Systems design, build, and implementation	Testing
Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922	Systems design, build, and implementation	Establish/Maintain Documentation
Compare system design requirements against system design requests. CC ID 06619	Systems design, build, and implementation	Testing
Determine if commercial off the shelf products meet the system design requirements. CC ID 06926	Systems design, build, and implementation	Testing
Review the degree of human intervention and control points in the system design requirements. CC ID 13536	Systems design, build, and implementation	Establish/Maintain Documentation
Analyze existing systems during preliminary investigations for system design projects. CC ID 01043	Systems design, build, and implementation	Testing
Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects. CC ID 01045 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2: Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Document the results of the source code analysis. CC ID 14310 [Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by _primary-noun">input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended. Results are documented. Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI Actors to validate whether the system is performing consistently as intended. Results are documented. MEASURE 4.2:]	Systems design, build, and implementation	Process or Activity
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Systems design, build, and implementation	Testing
Restrict production data from being used in the test environment. CC ID 01103	Systems design, build, and implementation	Testing
Test all software changes before promoting the system to a production environment. CC ID 01106	Systems design, build, and implementation	Testing
Review and test custom code to identify potential coding vulnerabilities. CC ID 01316	Systems design, build, and implementation	Testing
Review and test source code. CC ID 01086	Systems design, build, and implementation	Testing
Approve all custom code test results before code is released. CC ID 06293	Systems design, build, and implementation	Testing
Perform Quality Management on all newly developed or modified software. CC ID 11798	Systems design, build, and implementation	Testing
Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Policies and procedures are in place that address AI risks associated with ry-noun">third-party entities, including risks of infringement of a third-party's intellectual property or other rights. Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third-party's intellectual property or other rights. GOVERN 6.1:]	Acquisition or sale of facilities, technology, and services	Testing
Include complete information in the take-down request. CC ID 09965	Acquisition or sale of facilities, technology, and services	Business Processes
Include the complainant's contact information in the take-down request. CC ID 09966	Acquisition or sale of facilities, technology, and services	Business Processes
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Acquisition or sale of facilities, technology, and services	Business Processes
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Acquisition or sale of facilities, technology, and services	Business Processes
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Acquisition or sale of facilities, technology, and services	Business Processes
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Acquisition or sale of facilities, technology, and services	Business Processes
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Acquisition or sale of facilities, technology, and services	Business Processes
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Acquisition or sale of facilities, technology, and services	Business Processes
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Testing
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Data and Information Management
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Investigate
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Behavior
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Data and Information Management
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Log Management
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Log Management
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Monitor and Evaluate Occurrences
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Data and Information Management
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Process or Activity
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Monitor and Evaluate Occurrences
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Process or Activity
Perform risk assessments of third parties, as necessary. CC ID 06454 [Implement a use-cased based supplier risk assessment framework to evaluate and monitor third-party entities' performance and adherence to content provenance standards and technologies to detect anomalies and unauthorized changes; services acquisition and value chain risk management; and legal compliance. GV-6.1-005]	Third Party and supply chain oversight	Testing
Validate the mine of origin for sourcing of materials against independent data. CC ID 08897	Third Party and supply chain oversight	Data and Information Management
Trace materials to their origin. CC ID 08898	Third Party and supply chain oversight	Business Processes

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Harmonization Methods and Manual of Style CC ID 06095	Harmonization Methods and Manual of Style	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

1213

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Business Processes
Establish, implement, and maintain communication protocols. CC ID 12245	Leadership and high level objectives	Establish/Maintain Documentation
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [{be external} Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the BC;" class="term_primary-noun">AI system regarding the potential individual and societal un">impactstyle="background-color:#CBD0E5;" class="term_secondary-verb">span> related to un">AI risks. GOVERN 5.1: {be external} Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from those external to the team that developed or deployed the BC;" class="term_primary-noun">AI system regarding the potential individual and societal un">impactstyle="background-color:#CBD0E5;" class="term_secondary-verb">span> related to un">AI risks. GOVERN 5.1: Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts ckground-color:#B7D8ED;" class="term_primary-verb">are in -verb">place> and documented. Practices and personnel for supporting regular engagement with relevant AI Actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. MAP 5.2: Feedback processes for end users and impacted communities to report problems and appeal system outcomes are lor:#B7D8ED;" class=verb">"term_primary-verb">established and integrated into AI system evaluation metrics. Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics. MEASURE 3.3: Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evalverb">uation tyle="background-color:#F0BBBC;" class="term_primary-noun">metrics. Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics. MEASURE 3.3: Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating erm_primaan>ry-no<span style="background-color:#CBD0E5;" class="term_secondary-verb">un">input</span> from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1: Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI actors. Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI Actors. MANAGE 4.2: Obtain input from stakeholder communities to identify unacceptable use, in accordance with activities in the AI RMF Map function. GV-1.3-004]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain alert procedures. CC ID 12406 [{alert system} {no longer be used} Re-evaluate risks when adapting GAI models to new domains. Additionally, establish warning systems to determine if a GAI system is being used in a new domain where previous assumptions (relating to context of use or mapped risks such as security, and safety) may no longer hold. MP-4.1-008]	Leadership and high level objectives	Establish/Maintain Documentation
Include the criteria for notifications in the notification system. CC ID 17139	Leadership and high level objectives	Establish/Maintain Documentation
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain organizational objectives. CC ID 09959	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a value generation model. CC ID 15591 [Mechanisms are in place and applied to sustain the value of deployed ss="term_primary-noun">AI systems. Mechanisms are in place and applied to sustain the value of deployed AI systems. MANAGE 2.2:]	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Communicate
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Establish/Maintain Documentation
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Establish/Maintain Documentation
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain data governance and management practices. CC ID 14998 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002 Review and document accuracy, representativeness, relevance, suitability of data used at different stages of AI life cycle. MP-2.3-002]	Leadership and high level objectives	Establish/Maintain Documentation
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Establish/Maintain Documentation
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Establish/Maintain Documentation
Include bias for data sets in the data governance and management practices. CC ID 15085	Leadership and high level objectives	Establish/Maintain Documentation
Include the data source in the data governance and management practices. CC ID 17211	Leadership and high level objectives	Data and Information Management
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Establish/Maintain Documentation
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Establish/Maintain Documentation
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Establish/Maintain Documentation
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Establish/Maintain Documentation
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Establish/Maintain Documentation
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [{internal use} When identifying intended purposes, consider factors such as internal vs. external use, narrow vs. broad application scope, fine-tuning, and varieties of data sources (e.g., grounding, retrieval-augmented generation). MP-1.1-001]	Leadership and high level objectives	Establish/Maintain Documentation
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Establish/Maintain Documentation
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Legal and regulatory requirements involving AI are understood, managed, and B7D8ED;" class="term_primary-verb">documented. Legal and regulatory requirements involving AI are understood, managed, and documented. GOVERN 1.1:]	Leadership and high level objectives	Establish/Maintain Documentation
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Define any inventory exemptions in organizational policies for GAI systems embedded into application software. GV-1.6-002]	Leadership and high level objectives	Establish/Maintain Documentation
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Establish/Maintain Documentation
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Leadership and high level objectives	Establish/Maintain Documentation
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Business Processes
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Establish/Maintain Documentation
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Establish Roles
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Communicate
Establish, implement, and maintain a strategic plan. CC ID 12784	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a decision management strategy. CC ID 06913	Leadership and high level objectives	Establish/Maintain Documentation
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 [Reevaluate organizational risk tolerances to account for unacceptable negative risk (such as where significant negative impacts are imminent, severe harms are actually occurring, or large-scale risks could occur); and broad GAI negative risks, including: Immature safety or risk cultures related to AI and GAI design, development and deployment, public information integrity risks, including impacts on democratic processes, unknown long-term performance characteristics of GAI. GV-1.3-006]	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156	Monitoring and measurement	Communicate
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155	Monitoring and measurement	Communicate
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available. Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available. MEASURE 3.2: Ongoing monitoring and periodic review of the risk management process and its outcomes are planned, and organizational roles and responsibilities are clearly defined, including determining the frequency of periodic review. GOVERN 1.5:]	Monitoring and measurement	Establish/Maintain Documentation
Monitor the organization's exposure to threats, as necessary. CC ID 06494	Monitoring and measurement	Monitor and Evaluate Occurrences
Implement a fraud detection system. CC ID 13081	Monitoring and measurement	Business Processes
Monitor for new vulnerabilities. CC ID 06843	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Monitoring and measurement	Testing
Establish, implement, and maintain a system security plan. CC ID 01922	Monitoring and measurement	Testing
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Establish/Maintain Documentation
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Establish/Maintain Documentation
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Establish/Maintain Documentation
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Establish/Maintain Documentation
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Establish/Maintain Documentation
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Establish/Maintain Documentation
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 [Privacy risk of the AI system – as identified in the MAP function – is examined and le="background-color:#B7D8ED;" class="term_primary-verb">documented. Privacy risk of the AI system – as identified in the MAP function – is examined and documented. MEASURE 2.10:]	Monitoring and measurement	Establish/Maintain Documentation
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Communicate
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Establish/Maintain Documentation
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Establish/Maintain Documentation
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Establish/Maintain Documentation
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Process or Activity
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Establish/Maintain Documentation
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Establish/Maintain Documentation
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Establish/Maintain Documentation
Approve the system security plan. CC ID 14241	Monitoring and measurement	Business Processes
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Establish/Maintain Documentation
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Establish/Maintain Documentation
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Establish/Maintain Documentation
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Testing
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Acquisition/Sale of Assets or Services
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain a testing program. CC ID 00654 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Monitoring and measurement	Behavior
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031	Monitoring and measurement	Establish/Maintain Documentation
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Monitoring and measurement	Establish/Maintain Documentation
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the security assessment and authorization policy. CC ID 14220	Monitoring and measurement	Establish/Maintain Documentation
Include the purpose in the security assessment and authorization policy. CC ID 14219	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218	Monitoring and measurement	Communicate
Include management commitment in the security assessment and authorization policy. CC ID 14189	Monitoring and measurement	Establish/Maintain Documentation
Include compliance requirements in the security assessment and authorization policy. CC ID 14183	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224	Monitoring and measurement	Communicate
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Monitoring and measurement	Human Resources Management
Enable security controls which were disabled to conduct testing. CC ID 17031	Monitoring and measurement	Testing
Document improvement actions based on test results and exercises. CC ID 16840	Monitoring and measurement	Establish/Maintain Documentation
Disable dedicated accounts after testing is complete. CC ID 17033	Monitoring and measurement	Testing
Protect systems and data during testing in the production environment. CC ID 17198	Monitoring and measurement	Testing
Delete personal data upon data subject's withdrawal from testing. CC ID 17238	Monitoring and measurement	Data and Information Management
Define the criteria to conduct testing in the production environment. CC ID 17197	Monitoring and measurement	Testing
Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232	Monitoring and measurement	Behavior
Suspend testing in a production environment, as necessary. CC ID 17231	Monitoring and measurement	Testing
Define the test requirements for each testing program. CC ID 13177 [Implement plans for GAI systems to undergo regular adversarial testing to identify vulnerabilities and potential manipulation or misuse. MP-2.3-005 Delineate human proficiency tests from tests of GAI capabilities. MP-3.4-004]	Monitoring and measurement	Establish/Maintain Documentation
Include test requirements for the use of production data in the testing program. CC ID 17201	Monitoring and measurement	Testing
Include test requirements for the use of human subjects in the testing program. CC ID 16222 [Evaluations involving human subjects meet ss="term_primary-noun">applicable requirements (including human subject protection) and are representative of the relevant population. Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population. MEASURE 2.2: Evaluations involving human subjects meet applicable requirements (including human subject protection) and _primary-verb">are representative of the relevant population. Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population. MEASURE 2.2:]	Monitoring and measurement	Testing
Test the in scope system in accordance with its intended purpose. CC ID 14961	Monitoring and measurement	Testing
Perform network testing in accordance with organizational standards. CC ID 16448	Monitoring and measurement	Testing
Notify interested personnel and affected parties prior to performing testing. CC ID 17034	Monitoring and measurement	Communicate
Test user accounts in accordance with organizational standards. CC ID 16421	Monitoring and measurement	Testing
Include mechanisms for emergency stops in the testing program. CC ID 14398	Monitoring and measurement	Establish/Maintain Documentation
Document the business need justification for authorized wireless access points. CC ID 12044	Monitoring and measurement	Establish/Maintain Documentation
Deny network access to rogue devices until network access approval has been received. CC ID 11852	Monitoring and measurement	Configuration
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Monitoring and measurement	Establish/Maintain Documentation
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Monitoring and measurement	Communicate
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Monitoring and measurement	Communicate
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Monitoring and measurement	Communicate
Create technical documentation assessment certificates in an official language. CC ID 15110	Monitoring and measurement	Establish/Maintain Documentation
Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228	Monitoring and measurement	Process or Activity
Define the validity period for technical documentation assessment certificates. CC ID 17227	Monitoring and measurement	Process or Activity
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Monitoring and measurement	Testing
Define the test frequency for each testing program. CC ID 13176	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a penetration test program. CC ID 01105	Monitoring and measurement	Behavior
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Monitoring and measurement	Communicate
Align the penetration test program with industry standards. CC ID 12469	Monitoring and measurement	Establish/Maintain Documentation
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429	Monitoring and measurement	Establish Roles
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Monitoring and measurement	Testing
Retain penetration test results according to internal policy. CC ID 10049	Monitoring and measurement	Records Management
Retain penetration test remediation action records according to internal policy. CC ID 11629	Monitoring and measurement	Records Management
Ensure protocols are free from injection flaws. CC ID 16401	Monitoring and measurement	Process or Activity
Prevent adversaries from disabling or compromising security controls. CC ID 17057	Monitoring and measurement	Technical Security
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Monitoring and measurement	Establish/Maintain Documentation
Include facilities in the business line testing strategy. CC ID 13253	Monitoring and measurement	Establish/Maintain Documentation
Include electrical systems in the business line testing strategy. CC ID 13251	Monitoring and measurement	Establish/Maintain Documentation
Include mechanical systems in the business line testing strategy. CC ID 13250	Monitoring and measurement	Establish/Maintain Documentation
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Monitoring and measurement	Establish/Maintain Documentation
Include emergency power supplies in the business line testing strategy. CC ID 13247	Monitoring and measurement	Establish/Maintain Documentation
Include environmental controls in the business line testing strategy. CC ID 13246	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Monitoring and measurement	Establish/Maintain Documentation
Conduct scanning activities in a test environment. CC ID 17036	Monitoring and measurement	Testing
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Monitoring and measurement	Technical Security
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Monitoring and measurement	Communicate
Maintain vulnerability scan reports as organizational records. CC ID 12092	Monitoring and measurement	Records Management
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Monitoring and measurement	Business Processes
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Monitoring and measurement	Testing
Approve the vulnerability management program. CC ID 15722	Monitoring and measurement	Process or Activity
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Monitoring and measurement	Establish Roles
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Monitoring and measurement	Technical Security
Document and maintain test results. CC ID 17028	Monitoring and measurement	Testing
Include the pass or fail test status in the test results. CC ID 17106	Monitoring and measurement	Establish/Maintain Documentation
Include time information in the test results. CC ID 17105	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the system tested in the test results. CC ID 17104	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103	Monitoring and measurement	Communicate
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain risk management metrics. CC ID 01656 [Develop and validate approaches for measuring the success of content provenance management efforts with third parties (e.g., incidents detected and response times). GV-6.1-003 Develop and validate approaches for measuring the success of content provenance management efforts with third parties (e.g., incidents detected and response times). GV-6.1-003]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Monitoring and measurement	Business Processes
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 [Establish policies for measuring the effectiveness of employed content provenance methodologies (e.g., cryptography, watermarking, steganography, etc.) GV4.3--001]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Monitoring and measurement	Business Processes
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Monitoring and measurement	Business Processes
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Monitoring and measurement	Actionable Reports or Measurements
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Monitoring and measurement	Business Processes
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Monitoring and measurement	Log Management
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Monitoring and measurement	Business Processes
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Monitoring and measurement	Business Processes
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Monitoring and measurement	Business Processes
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Monitoring and measurement	Business Processes
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Monitoring and measurement	Business Processes
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Monitoring and measurement	Business Processes
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Monitoring and measurement	Business Processes
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Monitoring and measurement	Communicate
Report known security issues to interested personnel and affected parties on a regular basis. CC ID 12329 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Monitoring and measurement	Monitor and Evaluate Occurrences
Protect against misusing automated audit tools. CC ID 04547	Monitoring and measurement	Technical Security
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain risk management strategies. CC ID 13209 [The risk management process and its outcomes are established through transparent policies, procedures, and other controls basedspan> on organizational risk priorities. The risk management process and its outcomes are established through transparent policies, procedures, and other controls based on organizational risk priorities. GOVERN 1.4:]	Audits and risk management	Establish/Maintain Documentation
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Establish/Maintain Documentation
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Data and Information Management
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Audits and risk management	Establish/Maintain Documentation
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Establish/Maintain Documentation
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{appropriate person} Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates. Domain experts, users, AI Actors external to the team that developed or deployed the AI system, and affected communities are consulted in support of assessments as necessary per organizational risk tolerance. MEASURE 1.3: Ongoing monitoring and periodic review of the risk management process and its outcomes are planned, and organizational roles and responsibilities are clearly defined, including determining the frequency of periodic review. GOVERN 1.5:]	Audits and risk management	Establish Roles
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [Maintain an updated hierarchy of identified and expected GAI risks connected to contexts of GAI model advancement and use, potentially including specialized risk levels for GAI systems that address issues such as model collapse and algorithmic monoculture. GV-1.3-005]	Audits and risk management	Establish/Maintain Documentation
Document organizational risk criteria. CC ID 12277	Audits and risk management	Establish/Maintain Documentation
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Audits and risk management	Technical Security
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and risk management	Audits and Risk Management
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and risk management	Audits and Risk Management
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Audits and risk management	Establish/Maintain Documentation
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) based on expected use, past uses of AI systems in similar contexts, public incident reports, feedback from those external to the team that developed or deployed the AI system, or other data are identified and documented. MAP 5.1:]	Audits and risk management	Audits and Risk Management
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Business Processes
Perform risk assessments for all target environments, as necessary. CC ID 06452 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6: {alert system} {no longer be used} Re-evaluate risks when adapting GAI models to new domains. Additionally, establish warning systems to determine if a GAI system is being used in a new domain where previous assumptions (relating to context of use or mapped risks such as security, and safety) may no longer hold. MP-4.1-008]	Audits and risk management	Testing
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Establish/Maintain Documentation
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Establish/Maintain Documentation
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Establish/Maintain Documentation
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Audits and Risk Management
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Audits and Risk Management
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Audits and Risk Management
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Establish/Maintain Documentation
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Communicate
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Communicate
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Audits and Risk Management
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2:]	Audits and risk management	Communicate
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} Approaches and metrics for measurement of AI risks enumerated during the MAP function are selected for implementation starting with the most significant AI risks. The risks or trustworthiness characteristics that will not – or cannot – be measured are properly documented. MEASURE 1.1: Risks associated with transparency and accountability – as identified in the MAP function – are ary-verb">examined and documented. Risks associated with transparency and accountability – as identified in the MAP function – are examined and documented. MEASURE 2.8:]	Audits and risk management	Audits and Risk Management
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [{be significant} Approaches and metrics for measurement of AI risks enumerated during the MAP function are selected for implementation starting with the most significant AI risks. The risks or trustworthiness characteristics that will not – or cannot – be measured are properly olor:#B7D8ED;" class="term_primary-verb">documented. MEASURE 1.1: Document risk measurement plans to address identified risks. Plans may include, as applicable: Individual and group cognitive biases (e.g., confirmation bias, funding bias, groupthink) for AI Actors involved in the design, implementation, and use of GAI systems; Known past GAI system incidents and failure modes; In-context use and foreseeable misuse, abuse, and off-label use; Over reliance on quantitative metrics and methodologies without sufficient awareness of their limitations in the context(s) of use; Standard measurement and structured human feedback approaches; Anticipated human-AI configurations. MP-1.1-003]	Audits and risk management	Audits and Risk Management
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Audits and Risk Management
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Audits and risk management	Establish/Maintain Documentation
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Investigate
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Processes, procedures, and practices are in place to determine the needed level of ry-noun">risk management activities based on the organization's risk tolerance. Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization's risk tolerance. GOVERN 1.3: Procedures are followed to respond to and recover from a previously unknown risk when it is identified. Procedures are followed to respond to and recover from a previously unknown risk when it is identified. MANAGE 2.3:]	Audits and risk management	Establish/Maintain Documentation
Approve the risk acceptance level, as necessary. CC ID 17168	Audits and risk management	Process or Activity
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Behavior
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and yle="background-color:#B7D8ED;" class="term_primary-verb">documented. Risk response options can include mitigating, transferring, avoiding, or accepting. Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. MANAGE 1.3: Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, background-color:#B7D8ED;" class="term_primary-verb">planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. Responses to the AI risks deemed high priority, as identified by the MAP function, are developed, planned, and documented. Risk response options can include mitigating, transferring, avoiding, or accepting. MANAGE 1.3: AI risks and benefits from third-party resources are regularly monitored, and risk controls are appliedan> and documented. AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. MANAGE 3.1:]	Audits and risk management	Audits and Risk Management
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 [Include relevant AI Actors in the GAI system risk identification process. GV-4.2-002 Establish policies and procedures to test and manage risks related to rollover and fallback technologies for GAI systems, acknowledging that rollover and fallback may include manual processing. GV-6.2-006 Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party's intellectual property or other rights. MAP 4.1: {risk evaluation} Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations. GV-1.2-002]	Audits and risk management	Establish/Maintain Documentation
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 [{be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience style="background-color:#F0BBBC;" class="term_primary-noun">expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2:]	Audits and risk management	Establish/Maintain Documentation
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Business Processes
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Establish/Maintain Documentation
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 [AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented. MANAGE 3.1:]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a disclosure report. CC ID 15521	Audits and risk management	Establish/Maintain Documentation
Include metrics in the disclosure report. CC ID 15916 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Audits and risk management	Establish/Maintain Documentation
Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934	Audits and risk management	Establish/Maintain Documentation
Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632	Audits and risk management	Establish/Maintain Documentation
Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871	Audits and risk management	Establish/Maintain Documentation
Include the number of individuals in each region in the disclosure report. CC ID 15835	Audits and risk management	Establish/Maintain Documentation
Include the number of individuals in each gender category in the disclosure report. CC ID 15633	Audits and risk management	Establish/Maintain Documentation
Include the total number of incidents of discrimination in the disclosure report. CC ID 15788	Audits and risk management	Establish/Maintain Documentation
Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870	Audits and risk management	Establish/Maintain Documentation
Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869	Audits and risk management	Establish/Maintain Documentation
Include metrics criteria in the disclosure report. CC ID 16143	Audits and risk management	Establish/Maintain Documentation
Include risk management metrics in the disclosure report. CC ID 16345	Audits and risk management	Establish/Maintain Documentation
Include financial management metrics in the disclosure report. CC ID 16042	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104	Audits and risk management	Establish/Maintain Documentation
Include metrics on anti-corruption in the disclosure report. CC ID 16052	Audits and risk management	Establish/Maintain Documentation
Include environmental management metrics in the disclosure report. CC ID 16012	Audits and risk management	Establish/Maintain Documentation
Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041	Audits and risk management	Establish/Maintain Documentation
Include metrics on procurement practices in the disclosure report. CC ID 16011	Audits and risk management	Establish/Maintain Documentation
Include emissions management metrics in the disclosure report. CC ID 15987	Audits and risk management	Establish/Maintain Documentation
Include compliance metrics in the disclosure report. CC ID 15932	Audits and risk management	Establish/Maintain Documentation
Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548	Audits and risk management	Establish/Maintain Documentation
Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813	Audits and risk management	Establish/Maintain Documentation
Include metrics on labor-management relations in the disclosure report. CC ID 15935	Audits and risk management	Establish/Maintain Documentation
Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895	Audits and risk management	Establish/Maintain Documentation
Include waste management metrics in the disclosure report. CC ID 15925	Audits and risk management	Establish/Maintain Documentation
Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781	Audits and risk management	Establish/Maintain Documentation
Include the total weight of waste generated in the disclosure report. CC ID 15778	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of waste generated in the disclosure report. CC ID 15775	Audits and risk management	Establish/Maintain Documentation
Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780	Audits and risk management	Establish/Maintain Documentation
Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771	Audits and risk management	Establish/Maintain Documentation
Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767	Audits and risk management	Establish/Maintain Documentation
Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769	Audits and risk management	Establish/Maintain Documentation
Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776	Audits and risk management	Establish/Maintain Documentation
Include product and service management metrics in the disclosure report. CC ID 15917	Audits and risk management	Establish/Maintain Documentation
Include the number of products and services provided by the organization in the disclosure report. CC ID 15833	Audits and risk management	Establish/Maintain Documentation
Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811	Audits and risk management	Establish/Maintain Documentation
Include water management metrics in the disclosure report. CC ID 15924	Audits and risk management	Establish/Maintain Documentation
Include the total water withdrawal in the disclosure report. CC ID 15593	Audits and risk management	Establish/Maintain Documentation
Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of water withdrawal in the disclosure report. CC ID 15795	Audits and risk management	Establish/Maintain Documentation
Include the total water discharge in the disclosure report. CC ID 15758	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of water discharge in the disclosure report. CC ID 15759	Audits and risk management	Establish/Maintain Documentation
Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760	Audits and risk management	Establish/Maintain Documentation
Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797	Audits and risk management	Establish/Maintain Documentation
Include the total water consumption in the disclosure report. CC ID 15642	Audits and risk management	Establish/Maintain Documentation
Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598	Audits and risk management	Establish/Maintain Documentation
Include the total number of complaints received in the disclosure report. CC ID 15728	Audits and risk management	Establish/Maintain Documentation
Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643	Audits and risk management	Establish/Maintain Documentation
Include employment practices metrics in the disclosure report. CC ID 15921	Audits and risk management	Establish/Maintain Documentation
Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622	Audits and risk management	Actionable Reports or Measurements
Include the percentage of offshore employees in the disclosure report. CC ID 15623	Audits and risk management	Actionable Reports or Measurements
Include the rate of employee turnover in the disclosure report. CC ID 15898	Audits and risk management	Establish/Maintain Documentation
Include the total number of new employee hires in the disclosure report. CC ID 15896	Audits and risk management	Establish/Maintain Documentation
Include the total number of employees in the disclosure report. CC ID 15834	Audits and risk management	Establish/Maintain Documentation
Include metrics on parental leave in the disclosure report. CC ID 15936	Audits and risk management	Establish/Maintain Documentation
Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906	Audits and risk management	Establish/Maintain Documentation
Include the number of hours worked in the disclosure report. CC ID 15910	Audits and risk management	Establish/Maintain Documentation
Include the percentage of employee engagement in the disclosure report. CC ID 15634	Audits and risk management	Actionable Reports or Measurements
Include metrics on public policy advocacy in the disclosure report. CC ID 15947	Audits and risk management	Establish/Maintain Documentation
Include the total monetary value of political contributions in the disclosure report. CC ID 15803	Audits and risk management	Establish/Maintain Documentation
Include metrics on training and education in the disclosure report. CC ID 15940	Audits and risk management	Establish/Maintain Documentation
Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877	Audits and risk management	Establish/Maintain Documentation
Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881	Audits and risk management	Establish/Maintain Documentation
Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726	Audits and risk management	Actionable Reports or Measurements
Include operational metrics in the disclosure report. CC ID 15939	Audits and risk management	Establish/Maintain Documentation
Include incident management metrics in the disclosure report. CC ID 15926	Audits and risk management	Establish/Maintain Documentation
Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618	Audits and risk management	Establish/Maintain Documentation
Include the total user downtime in the disclosure report. CC ID 15635	Audits and risk management	Actionable Reports or Measurements
Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606	Audits and risk management	Establish/Maintain Documentation
Include the total number of operations performed by the organization in the disclosure report. CC ID 15831	Audits and risk management	Establish/Maintain Documentation
Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933	Audits and risk management	Establish/Maintain Documentation
Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649	Audits and risk management	Actionable Reports or Measurements
Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792	Audits and risk management	Actionable Reports or Measurements
Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557	Audits and risk management	Establish/Maintain Documentation
Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729	Audits and risk management	Establish/Maintain Documentation
Include the number of content removal requests in the disclosure report. CC ID 15647	Audits and risk management	Establish/Maintain Documentation
Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640	Audits and risk management	Establish/Maintain Documentation
Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542	Audits and risk management	Establish/Maintain Documentation
Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543	Audits and risk management	Establish/Maintain Documentation
Include third party management metrics in the disclosure report. CC ID 15923	Audits and risk management	Establish/Maintain Documentation
Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837	Audits and risk management	Establish/Maintain Documentation
Include metrics on supplier social assessments in the disclosure report. CC ID 15938	Audits and risk management	Establish/Maintain Documentation
Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808	Audits and risk management	Establish/Maintain Documentation
Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807	Audits and risk management	Establish/Maintain Documentation
Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806	Audits and risk management	Establish/Maintain Documentation
Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805	Audits and risk management	Establish/Maintain Documentation
Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810	Audits and risk management	Establish/Maintain Documentation
Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937	Audits and risk management	Establish/Maintain Documentation
Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884	Audits and risk management	Establish/Maintain Documentation
Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883	Audits and risk management	Establish/Maintain Documentation
Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886	Audits and risk management	Establish/Maintain Documentation
Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885	Audits and risk management	Establish/Maintain Documentation
Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887	Audits and risk management	Establish/Maintain Documentation
Include customer health and safety management metrics in the disclosure report. CC ID 15922	Audits and risk management	Establish/Maintain Documentation
Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814	Audits and risk management	Establish/Maintain Documentation
Include energy management metrics in the disclosure report. CC ID 15920	Audits and risk management	Establish/Maintain Documentation
Include the total energy reduction in the disclosure report. CC ID 15749	Audits and risk management	Establish/Maintain Documentation
Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751	Audits and risk management	Establish/Maintain Documentation
Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750	Audits and risk management	Establish/Maintain Documentation
Include the total heating sold in the disclosure report. CC ID 15739	Audits and risk management	Establish/Maintain Documentation
Include the energy intensity ratio in the disclosure report. CC ID 15735	Audits and risk management	Actionable Reports or Measurements
Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746	Audits and risk management	Establish/Maintain Documentation
Include the total electricity sold in the disclosure report. CC ID 15740	Audits and risk management	Establish/Maintain Documentation
Include the total energy consumption in the disclosure report. CC ID 15506	Audits and risk management	Establish/Maintain Documentation
Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744	Audits and risk management	Establish/Maintain Documentation
Include the total heating consumption in the disclosure report. CC ID 15743	Audits and risk management	Establish/Maintain Documentation
Include the total cooling sold in the disclosure report. CC ID 15738	Audits and risk management	Establish/Maintain Documentation
Include the total cooling consumption in the disclosure report. CC ID 15742	Audits and risk management	Establish/Maintain Documentation
Include the total steam sold in the disclosure report. CC ID 15737	Audits and risk management	Establish/Maintain Documentation
Include the total steam consumption in the disclosure report. CC ID 15741	Audits and risk management	Establish/Maintain Documentation
Include the fuel types used in the disclosure report. CC ID 15745	Audits and risk management	Establish/Maintain Documentation
Include materials management metrics in the disclosure report. CC ID 15919	Audits and risk management	Establish/Maintain Documentation
Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791	Audits and risk management	Establish/Maintain Documentation
Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562	Audits and risk management	Establish/Maintain Documentation
Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792	Audits and risk management	Establish/Maintain Documentation
Include occupational health and safety management metrics in the disclosure report. CC ID 15918	Audits and risk management	Establish/Maintain Documentation
Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891	Audits and risk management	Establish/Maintain Documentation
Include the total number of work-related injuries in the disclosure report. CC ID 15899	Audits and risk management	Establish/Maintain Documentation
Include the number of cases of work-related ill health in the disclosure report. CC ID 15914	Audits and risk management	Establish/Maintain Documentation
Include how material topics are managed in the disclosure report. CC ID 15657	Audits and risk management	Establish/Maintain Documentation
Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 [Observe and analyze how the GAI system interacts with external networks, and identify any potential for negative externalities, particularly where content provenance might be compromised. MP-2.2-002]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004	Technical security	Technical Security
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [Establish terms of use and terms of service for GAI systems. GV-4.2-001]	Technical security	Establish/Maintain Documentation
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Technical security	Establish/Maintain Documentation
Identify and control all network access controls. CC ID 00529	Technical security	Technical Security
Establish, implement, and maintain a network configuration standard. CC ID 00530	Technical security	Establish/Maintain Documentation
Maintain up-to-date data flow diagrams. CC ID 10059 [{data flow} Institute test and evaluation for data and content flows within the GAI system, including but not limited to, original data sources, data transformations, and decision-making criteria. MP-2.1-002]	Technical security	Establish/Maintain Documentation
Include information flows to third parties in the data flow diagram. CC ID 13185	Technical security	Establish/Maintain Documentation
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Technical security	Establish/Maintain Documentation
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Technical security	Communicate
Manage all external network connections. CC ID 11842 [Observe and analyze how the GAI system interacts with external networks, and identify any potential for negative externalities, particularly where content provenance might be compromised. MP-2.2-002]	Technical security	Technical Security
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116	Technical security	Technical Security
Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050	Technical security	Technical Security
Prohibit systems from connecting directly to external networks. CC ID 08709	Technical security	Configuration
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical security	Technical Security
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and environmental protection	Physical and Environmental Protection
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 [Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness. GOVERN 1.7: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. MANAGE 2.4:]	Physical and environmental protection	Establish/Maintain Documentation
Obtain management approval prior to decommissioning assets. CC ID 17269	Physical and environmental protection	Business Processes
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027	Physical and environmental protection	Process or Activity
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a continuity plan. CC ID 00752 [Contingency processes are in place to handle failures or incidents in third-party data or nd-color:#F0BBBC;" class="term_primary-noun">AI systems deemed to be high-risk. Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk. GOVERN 6.2:]	Operational and Systems Continuity	Establish/Maintain Documentation
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Communicate
Maintain normal security levels when an emergency occurs. CC ID 06377	Operational and Systems Continuity	Systems Continuity
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Operational and Systems Continuity	Systems Continuity
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Human Resources Management
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Human Resources Management
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Systems Continuity
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Configuration
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Behavior
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Establish/Maintain Documentation
Include the continuity strategy in the continuity plan. CC ID 13189	Operational and Systems Continuity	Establish/Maintain Documentation
Document and use the lessons learned to update the continuity plan. CC ID 10037	Operational and Systems Continuity	Establish/Maintain Documentation
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Operational and Systems Continuity	Technical Security
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Process or Activity
Record business continuity management system performance for posterity. CC ID 12411	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Process or Activity
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Establish/Maintain Documentation
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Establish/Maintain Documentation
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Establish/Maintain Documentation
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Operational and Systems Continuity	Establish/Maintain Documentation
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Establish Roles
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Communicate
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Operational and Systems Continuity	Establish/Maintain Documentation
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Operational and Systems Continuity	Configuration
Install a generator sized to support the facility. CC ID 06709	Operational and Systems Continuity	Configuration
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Acquisition/Sale of Assets or Services
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Operational and Systems Continuity	Establish/Maintain Documentation
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Establish/Maintain Documentation
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Operational and Systems Continuity	Systems Continuity
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a recovery plan. CC ID 13288	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Communicate
Include procedures to restore system interconnections in the recovery plan. CC ID 17100	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Establish/Maintain Documentation
Include voltage and frequency requirements in the recovery plan. CC ID 17098	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Human Resources Management
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Establish/Maintain Documentation
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Establish/Maintain Documentation
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Communicate
Include restoration procedures in the continuity plan. CC ID 01169	Operational and Systems Continuity	Establish Roles
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Operational and Systems Continuity	Establish/Maintain Documentation
Include the recovery plan in the continuity plan. CC ID 01377	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Operational and Systems Continuity	Communicate
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045	Operational and Systems Continuity	Communicate
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Establish/Maintain Documentation
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Establish policies and procedures that address GAI data redundancy, including model weights and other system artifacts. GV-6.2-005]	Operational and Systems Continuity	Systems Continuity
Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271	Operational and Systems Continuity	Communicate
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Operational and Systems Continuity	Physical and Environmental Protection
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392	Operational and Systems Continuity	Configuration
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393	Operational and Systems Continuity	Establish/Maintain Documentation
Store backup media at an off-site electronic media storage facility. CC ID 01332	Operational and Systems Continuity	Data and Information Management
Transport backup media in lockable electronic media storage containers. CC ID 01264	Operational and Systems Continuity	Data and Information Management
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Operational and Systems Continuity	Systems Continuity
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Operational and Systems Continuity	Data and Information Management
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Operational and Systems Continuity	Data and Information Management
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the assessment team's roles and responsibilities. CC ID 08890	Human Resources management	Business Processes
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 [{appropriate person} Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates. Domain experts, users, AI Actors external to the team that developed or deployed the AI system, and affected communities are consulted in support of le="background-color:#F0BBBC;" class="term_primary-noun">assessments as necessary per organizational risk tolerance. MEASURE 1.3:]	Human Resources management	Human Resources Management
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 [Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are or:#B7D8ED;" class="term_primary-verb">documented and are clear to individuals and teams throughout the organization. Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. GOVERN 2.1:]	Human Resources management	Human Resources Management
Define and assign workforce roles and responsibilities. CC ID 13267 [Define organizational responsibilities for periodic review of content provenance and incident monitoring for GAI systems. GV-1.5-001]	Human Resources management	Human Resources Management
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources management	Human Resources Management
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Human Resources management	Establish Roles
Document the use of external experts. CC ID 16263	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for the biometric system. CC ID 17004	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are or:#B7D8ED;" class="term_primary-verb">documented and are clear to individuals and teams throughout the organization. Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. GOVERN 2.1: {be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their ;" class="term_primary-noun">participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2: Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts ckground-color:#B7D8ED;" class="term_primary-verb">are in -verb">place> and documented. Practices and personnel for supporting regular engagement with relevant AI Actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. MAP 5.2: When systems may raise national security risks, involve national security professionals in mapping, measuring, and managing those risks. GV-2.1-004 Establish and empower interdisciplinary teams that reflect a wide range of capabilities, competencies, demographic groups, domain expertise, educational backgrounds, lived experiences, professions, and skills across the enterprise to inform and conduct risk measurement and management functions. MP-1.2-001]	Human Resources management	Human Resources Management
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Human Resources Management
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Establish Roles
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources management	Human Resources Management
Assign the role of security management to applicable controls. CC ID 06444	Human Resources management	Establish Roles
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Human Resources Management
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Human Resources Management
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources management	Human Resources Management
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Communicate
Define and assign the data controller's roles and responsibilities. CC ID 00471	Human Resources management	Establish Roles
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Human Resources Management
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Human Resources Management
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Human Resources Management
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Establish Roles
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Human Resources Management
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Establish Roles
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Human Resources management	Establish Roles
Assign the role of logical access control to applicable controls. CC ID 00772	Human Resources management	Establish Roles
Assign the role of asset physical security to applicable controls. CC ID 00770	Human Resources management	Establish Roles
Assign the role of data custodian to applicable controls. CC ID 04789	Human Resources management	Establish Roles
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Human Resources management	Establish Roles
Assign interested personnel to the Quality Management committee. CC ID 07193	Human Resources management	Establish Roles
Assign the roles and responsibilities for the asset management system. CC ID 14368 [Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems. GOVERN 3.2: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate d-color:#F0BBBC;" class="term_primary-noun">AI systems that demonstrate performance or outcomes inconsistent with intended use. Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use. MANAGE 2.4:]	Human Resources management	Establish/Maintain Documentation
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Human Resources management	Establish Roles
Assign the role of fire protection management to applicable controls. CC ID 04891	Human Resources management	Establish Roles
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Human Resources management	Establish Roles
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Human Resources management	Establish Roles
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Human Resources management	Establish Roles
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources management	Human Resources Management
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources management	Human Resources Management
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Behavior
Establish, implement, and maintain an education methodology. CC ID 06671 [Conduct joint educational activities and events in collaboration with third parties to promote best practices for managing GAI risks. GV-6.1-002]	Human Resources management	Business Processes
Support certification programs as viable training programs. CC ID 13268 [Develop certification programs that test proficiency in managing GAI risks and interpreting content provenance, relevant to specific industry and context. MP-3.4-003]	Human Resources management	Human Resources Management
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Establish/Maintain Documentation
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Establish/Maintain Documentation
Submit applications for professional certification. CC ID 16192	Human Resources management	Training
Retrain all personnel, as necessary. CC ID 01362	Human Resources management	Behavior
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Human Resources management	Behavior
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Human Resources management	Behavior
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Behavior
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Behavior
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Human Resources Management
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Establish/Maintain Documentation
Develop or acquire content to update the training plans. CC ID 12867 [Adapt existing training programs to include modules on digital content transparency. MP-3.4-002]	Human Resources management	Training
Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101	Human Resources management	Training
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201	Human Resources management	Business Processes
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 [{risk evaluation} Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations. GV-1.2-002]	Human Resources management	Establish/Maintain Documentation
Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274	Human Resources management	Business Processes
Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270	Human Resources management	Communicate
Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267	Human Resources management	Establish/Maintain Documentation
Include risks and opportunities in the occupational health and safety policy. CC ID 16287	Human Resources management	Establish/Maintain Documentation
Include management commitment in the occupational health and safety policy. CC ID 16264	Human Resources management	Behavior
Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262	Human Resources management	Establish/Maintain Documentation
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073	Human Resources management	Establish/Maintain Documentation
Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074	Human Resources management	Physical and Environmental Protection
Install duress alarms in susceptible public areas. CC ID 06075	Human Resources management	Physical and Environmental Protection
Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550	Human Resources management	Human Resources Management
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802	Human Resources management	Establish/Maintain Documentation
Provide protective face masks for critical personnel, as necessary. CC ID 06803	Human Resources management	Human Resources Management
Establish, implement, and maintain food preparation procedures. CC ID 06804	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain food handling procedures. CC ID 11765	Human Resources management	Establish/Maintain Documentation
Vaccinate critical employees, as necessary. CC ID 06805	Human Resources management	Human Resources Management
Protect personnel from work-related intimidation. CC ID 07046	Human Resources management	Behavior
Establish, implement, and maintain a travel program for all personnel. CC ID 10597	Human Resources management	Human Resources Management
Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076	Human Resources management	Human Resources Management
Refrain from using gifted mobile devices. CC ID 16460	Human Resources management	Acquisition/Sale of Assets or Services
Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218	Human Resources management	Business Processes
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598	Human Resources management	Configuration
Establish, implement, and maintain an ethics program. CC ID 11496	Human Resources management	Human Resources Management
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Human Resources management	Business Processes
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 [Create mechanisms to provide protections for whistleblowers who report, based on reasonable belief, when the organization violates relevant laws or poses a specific and empirically well-substantiated negative risk to public safety (or has already caused harm). GV-2.1-005]	Human Resources management	Communicate
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Establish/Maintain Documentation
Include security information sharing procedures in the internal control framework. CC ID 06489 [Organizational practices are in place to enable AI testing, identification of incidents, and n style="background-color:#F0BBBC;" class="term_primary-noun">information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3: Verify information sharing and feedback mechanisms among individuals and organizations regarding any negative impact from GAI systems. GV-4.3-003]	Operational management	Establish/Maintain Documentation
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Communicate
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Process or Activity
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, style="background-color:#F0BBBC;" class="term_primary-noun">appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security policy. CC ID 11740 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include data localization requirements in the information security policy. CC ID 16932	Operational management	Establish/Maintain Documentation
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967 [{internal use} When identifying intended purposes, consider factors such as internal vs. external use, narrow vs. broad application scope, fine-tuning, and varieties of data sources (e.g., grounding, retrieval-augmented generation). MP-1.1-001]	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Provide support for information sharing activities. CC ID 15644 [{be interdisciplinary} Interdisciplinary AI Actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. MAP 1.2:]	Operational management	Process or Activity
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Define acceptable use policies for GAI interfaces, modalities, and human-AI configurations (i.e., for chatbots and decision-making tasks), including criteria for the kinds of queries GAI applications should refuse to respond to. GV-3.2-003 {be transparent} {be illegal} Establish transparent acceptable use policies for GAI that address illegal use or applications of GAI. GV-1.4-002 Update GAI acceptable use policies to address proprietary and open-source GAI technologies and data, and contractors, consultants, and other third-party personnel. GV-6.1-010]	Operational management	Establish/Maintain Documentation
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Establish/Maintain Documentation
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Establish/Maintain Documentation
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Establish/Maintain Documentation
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Establish/Maintain Documentation
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Establish/Maintain Documentation
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Technical Security
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Establish/Maintain Documentation
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Data and Information Management
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Establish/Maintain Documentation
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Establish/Maintain Documentation
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Establish/Maintain Documentation
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Establish/Maintain Documentation
Include usage restrictions in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Establish/Maintain Documentation
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Communicate
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003 Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party's intellectual property or other rights. MAP 4.1: Implement policies and practices defining how third-party intellectual property and training data will be used, stored, and protected. MP-4.1-006]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Business Processes
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Establish/Maintain Documentation
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Review systems for compliance with organizational information security policies. CC ID 12004 [AI system security and resilience – as identified in the MAP function – are evaluatedan> and documented. AI system security and resilience – as identified in the MAP function – are evaluated and documented. MEASURE 2.7:]	Operational management	Business Processes
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Business Processes
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Establish/Maintain Documentation
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Fairness and bias – as identified in the MAP function – are evaluated and results are documented. Fairness and bias – as identified in the MAP function – are evaluated and results are documented. MEASURE 2.11: Fairness and bias – as identified in the MAP function – are evaluated and results are ckground-color:#CBD0E5;" class="term_secondary-verb">term_primary-verb">documented. Fairness and bias – as identified in the MAP function – are evaluated and results are documented. MEASURE 2.11:]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an asset inventory. CC ID 06631 [Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI system inventory requirements to account for GAI risks. GV-1.6-001]	Operational management	Business Processes
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI system inventory requirements to account for GAI risks. GV-1.6-001 In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Operational management	Establish/Maintain Documentation
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Establish/Maintain Documentation
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Systems Design, Build, and Implementation
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Data and Information Management
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Establish/Maintain Documentation
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Establish/Maintain Documentation
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Establish/Maintain Documentation
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Establish/Maintain Documentation
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Establish/Maintain Documentation
Conduct environmental surveys. CC ID 00690	Operational management	Physical and Environmental Protection
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Establish/Maintain Documentation
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Establish/Maintain Documentation
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Establish/Maintain Documentation
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Process or Activity
Include software in the Information Technology inventory. CC ID 00692	Operational management	Establish/Maintain Documentation
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Establish/Maintain Documentation
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Establish/Maintain Documentation
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 [Mechanisms are in place to inventory AI systems and are resourced according to organizational risk class="term_primary-noun">priorities. Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities. GOVERN 1.6:]	Operational management	Establish/Maintain Documentation
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Technical Security
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Technical Security
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Data and Information Management
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Establish/Maintain Documentation
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Data and Information Management
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Data and Information Management
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Establish/Maintain Documentation
Include source code in the asset inventory. CC ID 14858	Operational management	Records Management
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Operational management	Human Resources Management
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Establish/Maintain Documentation
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Data and Information Management
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Establish/Maintain Documentation
Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196	Operational management	Data and Information Management
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Establish/Maintain Documentation
Record the software version in the asset inventory. CC ID 12196	Operational management	Establish/Maintain Documentation
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Establish/Maintain Documentation
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Establish/Maintain Documentation
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Establish/Maintain Documentation
Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194	Operational management	Data and Information Management
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Establish/Maintain Documentation
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Establish/Maintain Documentation
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Establish/Maintain Documentation
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Establish/Maintain Documentation
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Establish/Maintain Documentation
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Establish/Maintain Documentation
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Data and Information Management
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Establish/Maintain Documentation
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Data and Information Management
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Establish/Maintain Documentation
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Establish/Maintain Documentation
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Establish/Maintain Documentation
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Establish/Maintain Documentation
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Establish/Maintain Documentation
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Establish/Maintain Documentation
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Establish/Maintain Documentation
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Data and Information Management
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Data and Information Management
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Establish/Maintain Documentation
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Establish/Maintain Documentation
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Establish/Maintain Documentation
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Establish/Maintain Documentation
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Establish/Maintain Documentation
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented. MANAGE 4.3:]	Operational management	Business Processes
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Communicate
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Human Resources Management
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Establish/Maintain Documentation
Include incident escalation procedures in the Incident Management program. CC ID 00856	Operational management	Establish/Maintain Documentation
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Establish/Maintain Documentation
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Establish/Maintain Documentation
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Establish/Maintain Documentation
Include a definition of affected transactions in the incident criteria. CC ID 17180	Operational management	Establish/Maintain Documentation
Include a definition of affected parties in the incident criteria. CC ID 17179	Operational management	Establish/Maintain Documentation
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Establish/Maintain Documentation
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Organizational practices are in place to enable AI testing, identification of e="background-color:#F0BBBC;" class="term_primary-noun">incidents, and information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3:]	Operational management	Establish/Maintain Documentation
Categorize the incident following an incident response. CC ID 13208	Operational management	Technical Security
Define and document the criteria to be used in categorizing incidents. CC ID 10033	Operational management	Establish/Maintain Documentation
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Establish/Maintain Documentation
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Establish/Maintain Documentation
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Establish/Maintain Documentation
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Business Processes
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Establish/Maintain Documentation
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Behavior
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Establish/Maintain Documentation
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Behavior
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Behavior
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Establish/Maintain Documentation
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Establish/Maintain Documentation
Include response times in the containment strategy. CC ID 13485	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Establish/Maintain Documentation
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Data and Information Management
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Data and Information Management
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Establish/Maintain Documentation
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Establish/Maintain Documentation
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Monitor and Evaluate Occurrences
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Investigate
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Establish/Maintain Documentation
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Establish/Maintain Documentation
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Technical Security
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Establish/Maintain Documentation
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Establish/Maintain Documentation
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Data and Information Management
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Records Management
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Establish/Maintain Documentation
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Log Management
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Log Management
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Establish/Maintain Documentation
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Log Management
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Establish/Maintain Documentation
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Establish/Maintain Documentation
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Establish/Maintain Documentation
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Establish organizational roles, policies, and procedures for communicating GAI incidents and performance to AI Actors and downstream stakeholders (including those potentially impacted), via community or official resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor). GV-2.1-001]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Communicate
Establish, implement, and maintain an Incident Response program. CC ID 00579 [Establish procedures to engage teams for GAI system incident response with diverse composition and responsibilities based on the particular incident type. GV-2.1-002 Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Operational management	Establish/Maintain Documentation
Create an incident response report. CC ID 12700	Operational management	Establish/Maintain Documentation
Include how the incident was discovered in the incident response report. CC ID 16987	Operational management	Establish/Maintain Documentation
Include the categories of data that were compromised in the incident response report. CC ID 16985	Operational management	Establish/Maintain Documentation
Include disciplinary actions taken in the incident response report. CC ID 16810	Operational management	Establish/Maintain Documentation
Include the persons responsible for the incident in the incident response report. CC ID 16808	Operational management	Establish/Maintain Documentation
Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789	Operational management	Establish/Maintain Documentation
Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728	Operational management	Establish/Maintain Documentation
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727	Operational management	Establish/Maintain Documentation
Include investments associated with the incident in the incident response report. CC ID 12726	Operational management	Establish/Maintain Documentation
Include costs associated with the incident in the incident response report. CC ID 12725	Operational management	Establish/Maintain Documentation
Include losses due to the incident in the incident response report. CC ID 12724	Operational management	Establish/Maintain Documentation
Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735	Operational management	Establish/Maintain Documentation
Include foregone revenue from the incident in the incident response report. CC ID 12723	Operational management	Establish/Maintain Documentation
Include the magnitude of the incident in the incident response report. CC ID 12722	Operational management	Establish/Maintain Documentation
Include implications of the incident in the incident response report. CC ID 12721	Operational management	Establish/Maintain Documentation
Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720	Operational management	Establish/Maintain Documentation
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719	Operational management	Establish/Maintain Documentation
Include information on all affected assets in the incident response report. CC ID 12718	Operational management	Establish/Maintain Documentation
Include the scope of the incident in the incident response report. CC ID 12717	Operational management	Establish/Maintain Documentation
Include the duration of the incident in the incident response report. CC ID 12716	Operational management	Establish/Maintain Documentation
Include the extent of the incident in the incident response report. CC ID 12715	Operational management	Establish/Maintain Documentation
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714	Operational management	Establish/Maintain Documentation
Include the reasons the incident occurred in the incident response report. CC ID 12711	Operational management	Establish/Maintain Documentation
Include the frequency of similar incidents occurring in the incident response report. CC ID 12712	Operational management	Establish/Maintain Documentation
Include lessons learned from the incident in the incident response report. CC ID 12713	Operational management	Establish/Maintain Documentation
Include where the incident occurred in the incident response report. CC ID 12710	Operational management	Establish/Maintain Documentation
Include when the incident occurred in the incident response report. CC ID 12709	Operational management	Establish/Maintain Documentation
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708	Operational management	Establish/Maintain Documentation
Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704	Operational management	Establish/Maintain Documentation
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703	Operational management	Establish/Maintain Documentation
Include an executive summary of the incident in the incident response report. CC ID 12702	Operational management	Establish/Maintain Documentation
Include a root cause analysis of the incident in the incident response report. CC ID 12701	Operational management	Establish/Maintain Documentation
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705	Operational management	Communicate
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182	Operational management	Acquisition/Sale of Assets or Services
Define target resolution times for incident response in the Incident Response program. CC ID 13072	Operational management	Establish/Maintain Documentation
Mitigate reported incidents. CC ID 12973	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain an incident response plan. CC ID 12056	Operational management	Establish/Maintain Documentation
Include addressing external communications in the incident response plan. CC ID 13351	Operational management	Establish/Maintain Documentation
Include addressing internal communications in the incident response plan. CC ID 13350	Operational management	Establish/Maintain Documentation
Include change control procedures in the incident response plan. CC ID 15479	Operational management	Establish/Maintain Documentation
Include addressing information sharing in the incident response plan. CC ID 13349	Operational management	Establish/Maintain Documentation
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Operational management	Establish/Maintain Documentation
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Operational management	Establish/Maintain Documentation
Include the management support needed for incident response in the incident response plan. CC ID 14300	Operational management	Establish/Maintain Documentation
Include root cause analysis in the incident response plan. CC ID 16423	Operational management	Establish/Maintain Documentation
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Operational management	Establish/Maintain Documentation
Include the resources needed for incident response in the incident response plan. CC ID 14292	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a cyber incident response plan. CC ID 13286	Operational management	Establish/Maintain Documentation
Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838	Operational management	Communicate
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Operational management	Establish Roles
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Operational management	Establish Roles
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Operational management	Establish Roles
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Operational management	Establish Roles
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Operational management	Establish Roles
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Operational management	Establish Roles
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Operational management	Establish Roles
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Operational management	Establish Roles
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Operational management	Establish Roles
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Operational management	Human Resources Management
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Operational management	Establish/Maintain Documentation
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Operational management	Communicate
Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385	Operational management	Establish/Maintain Documentation
Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789	Operational management	Establish/Maintain Documentation
Include identifying remediation actions in the incident response plan. CC ID 13354	Operational management	Establish/Maintain Documentation
Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776	Operational management	Establish/Maintain Documentation
Include log management procedures in the incident response program. CC ID 17081	Operational management	Establish/Maintain Documentation
Include coverage of all system components in the Incident Response program. CC ID 11955	Operational management	Establish/Maintain Documentation
Prepare for incident response notifications. CC ID 00584	Operational management	Establish/Maintain Documentation
Include incident response team services in the Incident Response program. CC ID 11766	Operational management	Establish/Maintain Documentation
Include the incident response training program in the Incident Response program. CC ID 06750	Operational management	Establish/Maintain Documentation
Incorporate simulated events into the incident response training program. CC ID 06751	Operational management	Behavior
Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753	Operational management	Behavior
Conduct incident response training. CC ID 11889	Operational management	Training
Establish, implement, and maintain an incident response policy. CC ID 14024 [Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities. GV-1.3-003]	Operational management	Establish/Maintain Documentation
Include compliance requirements in the incident response policy. CC ID 14108	Operational management	Establish/Maintain Documentation
Include coordination amongst entities in the incident response policy. CC ID 14107	Operational management	Establish/Maintain Documentation
Include management commitment in the incident response policy. CC ID 14106	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the incident response policy. CC ID 14105	Operational management	Establish/Maintain Documentation
Include the scope in the incident response policy. CC ID 14104	Operational management	Establish/Maintain Documentation
Include the purpose in the incident response policy. CC ID 14101	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099	Operational management	Communicate
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Establish/Maintain Documentation
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 [Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Operational management	Establish/Maintain Documentation
Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213	Operational management	Behavior
Include business continuity procedures in the Incident Response program. CC ID 06433	Operational management	Establish/Maintain Documentation
Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432	Operational management	Establish/Maintain Documentation
Include consumer protection procedures in the Incident Response program. CC ID 12755	Operational management	Systems Continuity
Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756	Operational management	Business Processes
Include business recovery procedures in the Incident Response program. CC ID 11774	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652	Operational management	Establish/Maintain Documentation
Retain collected evidence for potential future legal actions. CC ID 01235	Operational management	Records Management
Include time information in the chain of custody. CC ID 17068	Operational management	Log Management
Include actions performed on evidence in the chain of custody. CC ID 17067	Operational management	Log Management
Include individuals who had custody of evidence in the chain of custody. CC ID 17066	Operational management	Log Management
Define the business scenarios that require digital forensic evidence. CC ID 08653	Operational management	Establish/Maintain Documentation
Define the circumstances for collecting digital forensic evidence. CC ID 08657	Operational management	Establish/Maintain Documentation
Identify potential sources of digital forensic evidence. CC ID 08651	Operational management	Investigate
Document the legal requirements for evidence collection. CC ID 08654	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656	Operational management	Records Management
Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215	Operational management	Establish/Maintain Documentation
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306	Operational management	Actionable Reports or Measurements
Document the results of incident response tests and provide them to senior management. CC ID 14857	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain a performance management standard. CC ID 01615 [Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/"no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks. GV-1.3-002 Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/"no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks. GV-1.3-002]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775	Operational management	Business Processes
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679	Operational management	Establish/Maintain Documentation
Follow the maintenance schedule. CC ID 11791	Operational management	Maintenance
Establish, implement, and maintain rate limits, as necessary. CC ID 06883	Operational management	Business Processes
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain rate limits for connection attempts. CC ID 16986	Operational management	Technical Security
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a change control program. CC ID 00886	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a back-out plan. CC ID 13623 [Document GAI risks associated with system value chain to identify over-reliance on third-party data and to identify fallbacks. GV-6.2-001]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain traceability documentation. CC ID 16388 [In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003]	Operational management	Systems Design, Build, and Implementation
Establish and maintain a service catalog. CC ID 13634	Operational management	Establish/Maintain Documentation
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an artificial intelligence system. CC ID 14943 [The specific tasks and methods used to implement the tasks that the AI system will support are y-verb">erb">defined (e.g., classifiers, generative models, recommenders). The specific tasks and methods used to implement the tasks that the AI system will support are defined (e.g., classifiers, generative models, recommenders). MAP 2.1: Measurable activities for continual improvements are integrated into AI system n">updates and include regular engagement with interested parties, including relevant AI actors. Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI Actors. MANAGE 4.2: Devise a plan to halt development or deployment of a GAI system that poses unacceptable negative risk. GV-1.3-007]	Operational management	Systems Design, Build, and Implementation
Provide affected parties with the role of artificial intelligence in decision making. CC ID 17236	Operational management	Communicate
Provide the reasons for adverse decisions made by artificial intelligence systems. CC ID 17253	Operational management	Process or Activity
Authorize artificial intelligence systems for use under defined conditions. CC ID 17210	Operational management	Process or Activity
Refrain from notifying users when images, videos, or audio have been artificially generated or manipulated if use of the artificial intelligence system is authorized by law. CC ID 15051	Operational management	Communicate
Establish, implement, and maintain a post-market monitoring system. CC ID 15050	Operational management	Monitor and Evaluate Occurrences
Limit artificial intelligence systems authorizations to the time period until conformity assessment procedures are complete. CC ID 15043	Operational management	Business Processes
Terminate authorizations for artificial intelligence systems when conformity assessment procedures are complete. CC ID 15042	Operational management	Business Processes
Authorize artificial intelligence systems to be put into service for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15039	Operational management	Business Processes
Discard the outputs of the artificial intelligence system when authorizations are denied. CC ID 17225	Operational management	Process or Activity
Authorize artificial intelligence systems to be placed on the market for exceptional reasons while conformity assessment procedures are being conducted. CC ID 15037	Operational management	Business Processes
Prohibit artificial intelligence systems from being placed on the market when it is not in compliance with the requirements. CC ID 15029	Operational management	Acquisition/Sale of Assets or Services
Ensure the artificial intelligence system performs at an acceptable level of accuracy, robustness, and cybersecurity. CC ID 15024 [{be reliable} The AI system to be deployed is demonstrated to be valid and reliable. Limitations of the generalizability beyond the conditions under which the technology was developed are documented. MEASURE 2.5: {residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6: Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are b">informed by input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended. Results are documented. Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI Actors to validate whether the system is performing consistently as intended. Results are documented. MEASURE 4.2: Assess the accuracy, quality, reliability, and authenticity of GAI output by comparing it to a set of known ground truth data and by using a variety of evaluation methods (e.g., human oversight and automated evaluation, proven cryptographic techniques, review of content inputs). MP-2.3-001]	Operational management	Process or Activity
Implement an acceptable level of accuracy, robustness, and cybersecurity in the development of artificial intelligence systems. CC ID 15022 [The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices. The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices. GOVERN 1.2:]	Operational management	Systems Design, Build, and Implementation
Take into account the nature of the situation when determining the possibility of using 'real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement. CC ID 15020	Operational management	Process or Activity
Notify users when images, videos, or audio on the artificial intelligence system has been artificially generated or manipulated. CC ID 15019	Operational management	Communicate
Refrain from notifying users of artificial intelligence systems using biometric categorization for law enforcement. CC ID 15017	Operational management	Communicate
Use a remote biometric identification system under defined conditions. CC ID 15016	Operational management	Process or Activity
Notify users when they are using an artificial intelligence system. CC ID 15015	Operational management	Communicate
Receive prior authorization for the use of a remote biometric identification system. CC ID 15014	Operational management	Business Processes
Prohibit artificial intelligence systems that deploys subliminal techniques from being placed on the market. CC ID 15012	Operational management	Acquisition/Sale of Assets or Services
Prohibit artificial intelligence systems that use social scores for unfavorable treatment from being placed on the market. CC ID 15010	Operational management	Acquisition/Sale of Assets or Services
Prohibit artificial intelligence systems that evaluate or classify the trustworthiness of individuals from being placed on the market. CC ID 15008	Operational management	Acquisition/Sale of Assets or Services
Prohibit artificial intelligence systems that exploits vulnerabilities of a specific group of persons from being placed on the market. CC ID 15006	Operational management	Acquisition/Sale of Assets or Services
Refrain from making a decision based on system output unless verified by at least two natural persons. CC ID 15004	Operational management	Business Processes
Establish, implement, and maintain human oversight over artificial intelligence systems. CC ID 15003 [Policies are in place to bolster oversight of GAI systems with independent evaluations or assessments of GAI models or systems where the type and robustness of evaluations are proportional to the identified risks. GV-3.2-001 In addition to general model, governance, and risk information, consider the following items in GAI system inventory entries: Data provenance information (e.g., source, signatures, versioning, watermarks); Known issues reported from internal bug tracking or external information sharing resources (e.g., AI incident database, AVID, CVE, NVD, or OECD AI incident monitor); Human oversight roles and responsibilities; Special rights and considerations for intellectual property, licensed works, or personal, privileged, proprietary or sensitive data; Underlying foundation models, versions of underlying models, and access modes. GV-1.6-003 Establish policies, procedures, and processes for oversight functions (e.g., senior leadership, legal, compliance, including internal evaluation) across the GAI lifecycle, from problem formulation and supply chains to system decommission. GV-4.1-003 {human interface} {artificial intelligence system} Implement systems to continually monitor and track the outcomes of human-GAI configurations for future refinement and improvements. MP-3.4-005]	Operational management	Behavior
Implement measures to enable personnel assigned to human oversight to intervene or interrupt the operation of the artificial intelligence system. CC ID 15093	Operational management	Process or Activity
Implement measures to enable personnel assigned to human oversight to be aware of the possibility of automatically relying or over-relying on outputs to make decisions. CC ID 15091	Operational management	Human Resources Management
Implement measures to enable personnel assigned to human oversight to interpret output correctly. CC ID 15089	Operational management	Data and Information Management
Implement measures to enable personnel assigned to human oversight to decide to refrain from using the artificial intelligence system or override disregard, or reverse the output. CC ID 15079 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Operational management	Behavior
Enable users to interpret the artificial intelligence system's output and use. CC ID 15002 [The AI model is explained, validated, and documented, and AI system output is interpreted within its #F0BBBC;" class="term_primary-noun">context – as identified in the MAP function – to inform responsible use and governance. The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. MEASURE 2.9:]	Operational management	Business Processes
Develop artificial intelligence systems involving the training of models with data sets that meet the quality criteria. CC ID 14996 [The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. The AI model is explained, validated, and documented, and AI system output is interpreted within its context – as identified in the MAP function – to inform responsible use and governance. MEASURE 2.9: Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches. GV-1.2-001]	Operational management	Systems Design, Build, and Implementation
Withdraw the technical documentation assessment certificate when the artificial intelligence system is not in compliance with requirements. CC ID 15099	Operational management	Establish/Maintain Documentation
Reassess the designation of artificial intelligence systems. CC ID 17230	Operational management	Process or Activity
Define a high-risk artificial intelligence system. CC ID 14959	Operational management	Establish/Maintain Documentation
Take into account the consequences for the rights and freedoms of persons when using ‘real-time’ remote biometric identification systems for law enforcement. CC ID 14957	Operational management	Process or Activity
Allow the use of 'real-time' remote biometric identification systems for law enforcement under defined conditions. CC ID 14955	Operational management	Process or Activity
Document the use of remote biometric identification systems. CC ID 17215	Operational management	Business Processes
Notify interested personnel and affected parties of the use of remote biometric identification systems. CC ID 17216	Operational management	Communicate
Refrain from using remote biometric identification systems under defined conditions. CC ID 14953	Operational management	Process or Activity
Prohibit the use of artificial intelligence systems under defined conditions. CC ID 14951	Operational management	Process or Activity
Establish, implement, and maintain an environmental management system. CC ID 14945	Operational management	Business Processes
Include the scope in the environmental management system. CC ID 14950	Operational management	Establish/Maintain Documentation
Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are verb">assessed and documented. Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are assessed and documented. MEASURE 2.12: Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are verb">assessed and documented. Environmental impact and sustainability of AI model training and management activities – as identified in the MAP function – are assessed and documented. MEASURE 2.12:]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Establish/Maintain Documentation
Certify the system before releasing it into a production environment. CC ID 06419	System hardening through configuration management	Configuration
Document the system's accreditation and residual risks. CC ID 06728 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	System hardening through configuration management	Configuration
Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130	System hardening through configuration management	Establish/Maintain Documentation
Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063	System hardening through configuration management	Configuration
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Store records and data in accordance with organizational standards. CC ID 16439	Records management	Data and Information Management
Remove dormant data from systems, as necessary. CC ID 13726	Records management	Process or Activity
Select the appropriate format for archived data and records. CC ID 06320	Records management	Data and Information Management
Archive appropriate records, logs, and database tables. CC ID 06321	Records management	Records Management
Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060	Records management	Data and Information Management
Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314	Records management	Data and Information Management
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document retention procedures. CC ID 11660 [Maintain a document retention policy to keep history for test, evaluation, validation, and verification (TEVV), and digital content transparency methods for GAI. GV-1.5-003]	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Allocate time and resources for outreach, feedback, and recourse processes in GAI system development. GV-5.1-001]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386	Systems design, build, and implementation	Establish/Maintain Documentation
Perform a feasibility study for product requests. CC ID 06895	Systems design, build, and implementation	Acquisition/Sale of Assets or Services
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898	Systems design, build, and implementation	Acquisition/Sale of Assets or Services
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069	Systems design, build, and implementation	Human Resources Management
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045	Systems design, build, and implementation	Establish/Maintain Documentation
Include information security throughout the system development life cycle. CC ID 12042	Systems design, build, and implementation	Systems Design, Build, and Implementation
Protect confidential information during the system development life cycle program. CC ID 13479	Systems design, build, and implementation	Data and Information Management
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469	Systems design, build, and implementation	Communicate
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Consider adjustment of organizational roles and components across lifecycle stages of large or complex GAI systems, including: Test and evaluation, validation, and red-teaming of GAI systems; GAI content moderation; GAI system development and engineering; Increased accessibility of GAI tools, interfaces, and systems, Incident response and containment. GV-3.2-002]	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a security controls definition document. CC ID 01080	Systems design, build, and implementation	Establish/Maintain Documentation
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Systems design, build, and implementation	Establish/Maintain Documentation
Include naming conventions in system design guidelines. CC ID 13656	Systems design, build, and implementation	Establish/Maintain Documentation
Implement manual override capability into automated systems. CC ID 14921	Systems design, build, and implementation	Systems Design, Build, and Implementation
Define and assign the system development project team roles and responsibilities. CC ID 01061	Systems design, build, and implementation	Establish Roles
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Systems design, build, and implementation	Establish Roles
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Systems design, build, and implementation	Establish Roles
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Systems design, build, and implementation	Establish/Maintain Documentation
Establish and maintain an input requirements definition document. CC ID 01071	Systems design, build, and implementation	Establish/Maintain Documentation
Search for metadata during e-discovery. CC ID 01073	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain security design principles. CC ID 14718	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Systems design, build, and implementation	Establish/Maintain Documentation
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 [{residual risk} The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures. MEASURE 2.6:]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system use training plan. CC ID 01089 [Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined</span>, style="background-color:#B7D8ED;" class="term_primary-verb">assessed, and documented. Processes for operator and practitioner proficiency with AI system performance and trustworthiness – and relevant technical standards and certifications – are defined, assessed, and documented. MAP 3.4:]	Systems design, build, and implementation	Establish/Maintain Documentation
Train the affected users during system development life cycle projects. CC ID 01091	Systems design, build, and implementation	Behavior
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Systems design, build, and implementation	Establish/Maintain Documentation
Include the physical design characteristics in the system design specification. CC ID 06927	Systems design, build, and implementation	Establish/Maintain Documentation
Establish and maintain System Development Life Cycle documentation. CC ID 12079 [Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. GOVERN 4.1:]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759	Systems design, build, and implementation	Establish/Maintain Documentation
Define and document organizational structures for the System Development Life Cycle program. CC ID 12549	Systems design, build, and implementation	Establish/Maintain Documentation
Include system and network monitoring reporting lines in the System Development Life Cycle documentation. CC ID 12562	Systems design, build, and implementation	Establish/Maintain Documentation
Include system maintenance authorities in the System Development Life Cycle documentation. CC ID 12566	Systems design, build, and implementation	Establish/Maintain Documentation
Include system development reporting lines in the System Development Life Cycle documentation. CC ID 12559	Systems design, build, and implementation	Establish/Maintain Documentation
Include system design reporting lines in the System Development Life Cycle documentation. CC ID 12558	Systems design, build, and implementation	Establish/Maintain Documentation
Include system development authorities in the System Development Life Cycle documentation. CC ID 12564	Systems design, build, and implementation	Establish/Maintain Documentation
Include system design authorities in the System Development Life Cycle documentation. CC ID 12572	Systems design, build, and implementation	Establish/Maintain Documentation
Include system and network monitoring authorities in the System Development Life Cycle documentation. CC ID 12568	Systems design, build, and implementation	Establish/Maintain Documentation
Include system operation authorities in the System Development Life Cycle documentation. CC ID 12567	Systems design, build, and implementation	Establish/Maintain Documentation
Include system maintenance responsibilities in the System Development Life Cycle documentation. CC ID 12556	Systems design, build, and implementation	Establish/Maintain Documentation
Include system implementation authorities in the System Development Life Cycle documentation. CC ID 12565	Systems design, build, and implementation	Establish/Maintain Documentation
Include system and network monitoring responsibilities in the System Development Life Cycle documentation. CC ID 12557	Systems design, build, and implementation	Establish/Maintain Documentation
Include system operation responsibilities in the System Development Life Cycle documentation. CC ID 12563	Systems design, build, and implementation	Establish/Maintain Documentation
Include system maintenance reporting lines in the System Development Life Cycle documentation. CC ID 12555	Systems design, build, and implementation	Establish/Maintain Documentation
Include system operation reporting lines in the System Development Life Cycle documentation. CC ID 12561	Systems design, build, and implementation	Establish/Maintain Documentation
Include system implementation reporting lines in the System Development Life Cycle documentation. CC ID 12560	Systems design, build, and implementation	Establish/Maintain Documentation
Define and document organizational structures for system and network monitoring. CC ID 12554	Systems design, build, and implementation	Establish/Maintain Documentation
Define and document organizational structures for systems operations. CC ID 12553	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a full set of system procedures. CC ID 01074	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a physical, electrical, and logical interface specification. CC ID 01075	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a user-machine interaction specification. CC ID 01076	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a processing requirements definition document. CC ID 01077	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain an output requirements definition document. CC ID 01078	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a database management standard. CC ID 01079	Systems design, build, and implementation	Establish/Maintain Documentation
Compile databases to protect their structural intellectual property. CC ID 07044	Systems design, build, and implementation	Technical Security
Establish, implement, and maintain system design requirements. CC ID 06618 [Scientific integrity and TEVV considerations are identified and documented, including those related to experimental design, data collection and selection (e.g., availability, representativeness, suitability), system trustworthiness, and construct validation MAP 2.3:]	Systems design, build, and implementation	Establish/Maintain Documentation
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922	Systems design, build, and implementation	Systems Design, Build, and Implementation
Document stakeholder requirements and how they influence system design requirements. CC ID 06925	Systems design, build, and implementation	Establish/Maintain Documentation
Document legal requirements and how they influence system design requirements. CC ID 11793	Systems design, build, and implementation	Establish/Maintain Documentation
Design and develop built-in redundancies, as necessary. CC ID 13064	Systems design, build, and implementation	Systems Design, Build, and Implementation
Identify and document system design constraints. CC ID 06923	Systems design, build, and implementation	Establish/Maintain Documentation
Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution. CC ID 06928 [{be reliable} The AI system to be deployed is demonstrated to be valid and reliable. Limitations of the generalizability beyond the conditions under which the technology was developed are -verb">documented. MEASURE 2.5:]	Systems design, build, and implementation	Establish/Maintain Documentation
Design resource-isolation mechanisms into the infrastructure of Software as a Service. CC ID 12348	Systems design, build, and implementation	Systems Design, Build, and Implementation
Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347	Systems design, build, and implementation	Systems Design, Build, and Implementation
Identify and document system development constraints. CC ID 11698	Systems design, build, and implementation	Establish/Maintain Documentation
Identify and document the system boundaries of the system design project. CC ID 06924	Systems design, build, and implementation	Establish/Maintain Documentation
Evaluate the criticality and sensitivity of information being accessed when designing systems. CC ID 07076	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include performance criteria in the system requirements specification. CC ID 11540	Systems design, build, and implementation	Technical Security
Include accommodating increases in capacity in the system requirements specification. CC ID 11562	Systems design, build, and implementation	Technical Security
Include product upgrade methodologies in the system requirements specification. CC ID 11563	Systems design, build, and implementation	Technical Security
Include the ability of products to verify their own quality in the system requirements specification. CC ID 11564 [{multiple sources} Deploy and document fact-checking techniques to verify the accuracy and veracity of information generated by GAI systems, especially when the information comes from multiple (or unknown) sources. MP-2.3-003]	Systems design, build, and implementation	Technical Security
Include anti-counterfeit measures in the system requirements specification. CC ID 11547	Systems design, build, and implementation	Physical and Environmental Protection
Include anti-counterfeit measures that resist reverse engineering in the system requirements specification. CC ID 11548	Systems design, build, and implementation	Physical and Environmental Protection
Include anti-counterfeit measures that are apparent to anti-counterfeit authentication testing in the system requirements specification. CC ID 11549	Systems design, build, and implementation	Physical and Environmental Protection
Include anti-counterfeit measures that are interdependent between material goods and the anti-counterfeit authentication test in the system requirements specification. CC ID 11550	Systems design, build, and implementation	Physical and Environmental Protection
Include anti-counterfeit measures that allow product characteristic change detection as the result of an attack in the system requirements specification. CC ID 11551	Systems design, build, and implementation	Physical and Environmental Protection
Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552	Systems design, build, and implementation	Physical and Environmental Protection
Analyze anti-counterfeit measures for their longevity. CC ID 11553	Systems design, build, and implementation	Physical and Environmental Protection
Disallow reuse of anti-counterfeit measures absent authentication. CC ID 11554	Systems design, build, and implementation	Physical and Environmental Protection
Include anti-counterfeit measures to be compatible with material goods associated with the product in the system requirements specification. CC ID 11555	Systems design, build, and implementation	Physical and Environmental Protection
Establish, implement, and maintain a system design project management framework. CC ID 00990	Systems design, build, and implementation	Establish/Maintain Documentation
Include the threats and risks associated with the system development project in the project feasibility study. CC ID 11797 [Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use, and they communicate about the impacts more broadly. GOVERN 4.2:]	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain project management standards. CC ID 00992	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a project test plan. CC ID 01001 [Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities. GV-1.3-003]	Systems design, build, and implementation	Establish/Maintain Documentation
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Systems Design, Build, and Implementation
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems design, build, and implementation	Systems Design, Build, and Implementation
Develop new products based on best practices. CC ID 01095	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system design specification. CC ID 04557	Systems design, build, and implementation	Establish/Maintain Documentation
Include threat models in the system design specification. CC ID 06829 [Engage in threat modeling to anticipate potential risks from GAI systems. GV-3.2-005]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain system testing procedures. CC ID 11744 [Organizational practices are in place to enable class="term_primary-noun">AI testing, identification of incidents, and information sharing. Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. GOVERN 4.3: AI system security and resilience – as identified in the MAP function – are evaluatedan> and documented. AI system security and resilience – as identified in the MAP function – are evaluated and documented. MEASURE 2.7:]	Systems design, build, and implementation	Establish/Maintain Documentation
Protect test data in the development environment. CC ID 12014	Systems design, build, and implementation	Technical Security
Control the test data used in the development environment. CC ID 12013	Systems design, build, and implementation	Systems Design, Build, and Implementation
Select the test data carefully. CC ID 12011	Systems design, build, and implementation	Systems Design, Build, and Implementation
Test security functionality during the development process. CC ID 12015	Systems design, build, and implementation	Testing
Include system performance in the scope of system testing. CC ID 12624	Systems design, build, and implementation	Process or Activity
Include security controls in the scope of system testing. CC ID 12623	Systems design, build, and implementation	Process or Activity
Include business logic in the scope of system testing. CC ID 12622	Systems design, build, and implementation	Process or Activity
Assign the review of custom code changes to individuals other than the code author. CC ID 06291	Systems design, build, and implementation	Establish Roles
Evaluate and document all known code anomalies and code deficiencies. CC ID 06611	Systems design, build, and implementation	Establish/Maintain Documentation
Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471	Systems design, build, and implementation	Communicate
Establish, implement, and maintain poor quality material removal procedures. CC ID 06214	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a system testing program for all system development projects. CC ID 01101 [{performance criteria}{qualitative analysis}{quantitative analysis}{be similar} AI system performance or ">assurance criteriaspan> are ="background-color:#B7D8ED;" class="term_primary-verb">measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting(s). Measures are documented. MEASURE 2.3:]	Systems design, build, and implementation	Establish/Maintain Documentation
Establish and maintain technical documentation. CC ID 15005 [Intended purposes, potentially beneficial uses, context specific laws, norms and expectations, and prospective settings in which the AI system will be deployed are understood and documented. Considerations include: the specific set or types of users along with their expectations; potential positive and negative impacts of system uses to individuals, communities, organizations, society, and the planet; assumptions and related limitations about AI system purposes, uses, and risks across the development or product AI lifecycle; and related TEVV and system metrics. MAP 1.1:]	Systems design, build, and implementation	Establish/Maintain Documentation
Retain technical documentation on the premises where the artificial intelligence system is located. CC ID 15104	Systems design, build, and implementation	Establish/Maintain Documentation
Include the risk mitigation measures in the technical documentation. CC ID 17246	Systems design, build, and implementation	Establish/Maintain Documentation
Include the intended outputs of the system in the technical documentation. CC ID 17245	Systems design, build, and implementation	Establish/Maintain Documentation
Include the limitations of the system in the technical documentation. CC ID 17242	Systems design, build, and implementation	Establish/Maintain Documentation
Include the types of data used to train the artificial intelligence system in the technical documentation. CC ID 17241	Systems design, build, and implementation	Establish/Maintain Documentation
Include all required information in the technical documentation. CC ID 15094	Systems design, build, and implementation	Establish/Maintain Documentation
Include information that demonstrates compliance with requirements in the technical documentation. CC ID 15088	Systems design, build, and implementation	Establish/Maintain Documentation
Disseminate and communicate technical documentation to interested personnel and affected parties. CC ID 17229	Systems design, build, and implementation	Communicate
Plan for acquiring facilities, technology, or services. CC ID 06892	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain system acquisition contracts. CC ID 14758	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include security requirements in system acquisition contracts. CC ID 01124	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Require the information system developer to create a continuous monitoring plan. CC ID 14307 [Post-deployment AI system monitoring plans are ass="term_primary-verb">implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI Actors, appeal and override, decommissioning, incident response, recovery, and change management. MANAGE 4.1:]	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Establish policies for user feedback mechanisms for GAI systems which include thorough instructions and any mechanisms for recourse. GV-3.2-004]	Acquisition or sale of facilities, technology, and services	Business Processes
Document consumer complaints. CC ID 13903	Acquisition or sale of facilities, technology, and services	Business Processes
Assess consumer complaints and litigation. CC ID 16521	Acquisition or sale of facilities, technology, and services	Investigate
Notify the complainant about their rights after receiving a complaint. CC ID 16794	Acquisition or sale of facilities, technology, and services	Communicate
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Post contact information in an easily seen location at facilities. CC ID 13812	Acquisition or sale of facilities, technology, and services	Communicate
Provide users a list of the available dispute resolution bodies. CC ID 13814	Acquisition or sale of facilities, technology, and services	Communicate
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Acquisition or sale of facilities, technology, and services	Communicate
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795	Acquisition or sale of facilities, technology, and services	Communicate
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209	Acquisition or sale of facilities, technology, and services	Actionable Reports or Measurements
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Check communications for take-down requests. CC ID 09964	Acquisition or sale of facilities, technology, and services	Monitor and Evaluate Occurrences
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Acquisition or sale of facilities, technology, and services	Business Processes
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Acquisition or sale of facilities, technology, and services	Behavior
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Acquisition or sale of facilities, technology, and services	Business Processes
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Establish/Maintain Documentation
Limit data leakage. CC ID 00356 [Consider the following factors when decommissioning GAI systems: Data retention requirements; Data security, e.g., containment, protocols, Data leakage after decommissioning; Dependencies between upstream, downstream, or other data, internet of things (IOT) or AI systems; Use of open-source data or models; Users' emotional entanglement with GAI functions. GV-1.7-002]	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Business Processes
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Acquisition/Sale of Assets or Services
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain organizational documents. CC ID 16202 [Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and style="backgrpan>ound-color:#B7D8ED;" class="term_primary-verb">taking round-color:#F0BBBC;" class="term_primary-noun">subsequent actions. Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI Actors when making decisions and taking subsequent actions. MAP 2.2: Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is " class="termn style="background-color:#CBD0E5;" class="term_secondary-verb">_primary-verb">documented. Documentation provides sufficient information to assist relevant AI actors when making decisions and taking subsequent actions. Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented. Documentation provides sufficient information to assist relevant AI Actors when making decisions and taking subsequent actions. MAP 2.2:]	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Use unique titles for organizational documents. CC ID 16289	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Write organizational documents using clear and conspicuous language. CC ID 16281	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Write organizational documents using information that is free from bias. CC ID 16341	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include the publication date on organizational documents. CC ID 16269	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include version control on organizational documents. CC ID 16268	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include the version number on organizational documents. CC ID 16266	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include the author's name and job title on organizational documents. CC ID 16265	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include a record of changes in organizational documents. CC ID 16252	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include page numbers in the record of changes. CC ID 16280	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include change comments in the record of changes. CC ID 16279	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Include the date of the change in the record of changes. CC ID 16278	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Organize all compliance documents. CC ID 06096	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Organize all compliance documents to fit the message. CC ID 06097	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Identify the target audience for compliance documents. CC ID 06108	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Define the structure for compliance documents and governance documents. CC ID 06111	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Subordinate the structure of the compliance document to fit the topic. CC ID 06109	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Define visual and formatting styles for all structured headings. CC ID 06110	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Define the section heading style, if section headings are being used. CC ID 06112	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Place the table of contents at the document's beginning. CC ID 06114	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Add term definitions to the document's end. CC ID 06115	Harmonization Methods and Manual of Style	Establish/Maintain Documentation
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Include contingency plans in the third party management plan. CC ID 10030	Third Party and supply chain oversight	Establish/Maintain Documentation
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [Document GAI risks associated with system value chain to identify over-reliance on third-party data and to identify fallbacks. GV-6.2-001]	Third Party and supply chain oversight	Systems Continuity
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [Include clauses in contracts which allow an organization to evaluate third-party GAI processes and standards. GV-6.1-006]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Third Party and supply chain oversight	Business Processes
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Third Party and supply chain oversight	Business Processes
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [Update and integrate due diligence processes for GAI acquisition and procurement vendor assessments to include intellectual property, data privacy, security, and other risks. For example, update processes to: Address solutions that may rely on embedded GAI technologies; Address ongoing monitoring, assessments, and alerting, dynamic risk assessments, and real-time reporting tools for monitoring third-party GAI risks; Consider policy adjustments across GAI modeling libraries, tools and APIs, fine-tuned models, and embedded tools; Assess GAI vendors, open-source or proprietary GAI tools, or GAI service providers against incident or vulnerability databases. GV-6.1-009]	Third Party and supply chain oversight	Business Processes
Provide management support for third party due diligence. CC ID 08847	Third Party and supply chain oversight	Business Processes
Commit to the supply chain due diligence process. CC ID 08849	Third Party and supply chain oversight	Business Processes
Structure the organization to support supply chain due diligence. CC ID 08850	Third Party and supply chain oversight	Business Processes
Schedule supply chain audits, as necessary. CC ID 10015	Third Party and supply chain oversight	Audits and Risk Management
Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853	Third Party and supply chain oversight	Business Processes
Document and maintain records of supply chain transactions in a transaction file. CC ID 08858	Third Party and supply chain oversight	Establish/Maintain Documentation
Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859	Third Party and supply chain oversight	Business Processes
Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016	Third Party and supply chain oversight	Business Processes
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861	Third Party and supply chain oversight	Business Processes
Develop and implement supply chain due diligence capability training program. CC ID 08862	Third Party and supply chain oversight	Business Processes
Determine if additional supply chain due diligence processes are required. CC ID 08863	Third Party and supply chain oversight	Business Processes
Review transaction files for compliance with the supply chain audit standard. CC ID 08864	Third Party and supply chain oversight	Establish/Maintain Documentation
Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865	Third Party and supply chain oversight	Establish/Maintain Documentation
Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870	Third Party and supply chain oversight	Business Processes
Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 [Identify and document how the system relies on upstream data sources, including for content provenance, and if it serves as an upstream dependency for other systems. MP-2.2-001]	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879	Third Party and supply chain oversight	Business Processes
Collect and disclose payments to purchasers. CC ID 08880	Third Party and supply chain oversight	Business Processes
Collect and disclose ownership information to purchasers. CC ID 08881	Third Party and supply chain oversight	Business Processes
Collect and disclose mine locations to purchasers. CC ID 08882	Third Party and supply chain oversight	Business Processes
Collect and disclose extraction information to purchasers. CC ID 08883	Third Party and supply chain oversight	Business Processes
Provide products or services per customer requests. CC ID 08893	Third Party and supply chain oversight	Business Processes
Collect and disclose facility locations to purchasers. CC ID 08884	Third Party and supply chain oversight	Business Processes
Provide product information to purchasers. CC ID 08894	Third Party and supply chain oversight	Data and Information Management
Collect and disclose supply chain members to purchasers. CC ID 08885	Third Party and supply chain oversight	Business Processes
Define the traceability documentation required for chain of custody certification. CC ID 08895	Third Party and supply chain oversight	Establish/Maintain Documentation
Collect and disclose transportation routes to purchasers. CC ID 08886	Third Party and supply chain oversight	Business Processes
Implement chain of custody procedures. CC ID 08896	Third Party and supply chain oversight	Business Processes
Collect and disclose documentation of security forces to purchasers. CC ID 08887	Third Party and supply chain oversight	Establish/Maintain Documentation
Collect and disclose all local exporters to purchasers. CC ID 08888	Third Party and supply chain oversight	Business Processes
Collect and disclose information provided by local exporters to purchasers. CC ID 08889	Third Party and supply chain oversight	Business Processes
Review documentation that justifies the sourcing and chain of custody. CC ID 08899	Third Party and supply chain oversight	Establish/Maintain Documentation
Employ digital information sharing systems to assess supply chain due diligence. CC ID 08918	Third Party and supply chain oversight	Data and Information Management
Receive and follow up on supply chain grievances. CC ID 08901	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919	Third Party and supply chain oversight	Business Processes
Assist with local logistics in support of supply chain onsite investigations. CC ID 08920	Third Party and supply chain oversight	Behavior
Create an on-site mine visit report. CC ID 08921	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain a community-monitoring network to provide information about the supply chain. CC ID 08922	Third Party and supply chain oversight	Business Processes
Establish forums for sharing information about the supply chain. CC ID 08923	Third Party and supply chain oversight	Business Processes
Disseminate and communicate collected supply chain information to purchasers. CC ID 08924	Third Party and supply chain oversight	Data and Information Management
Share collected supply chain information with the supply chain members. CC ID 08925	Third Party and supply chain oversight	Data and Information Management
Provide assessment teams with records of materials from red flag locations. CC ID 08926	Third Party and supply chain oversight	Business Processes
Establish and maintain associations of suppliers to minimize exposure to supply chain risk. CC ID 08927	Third Party and supply chain oversight	Business Processes
Collect transit route information from suppliers. CC ID 08928	Third Party and supply chain oversight	Data and Information Management
Establish, implement, and maintain anti-counterfeit measures. CC ID 11522	Third Party and supply chain oversight	Technical Security
Establish, implement, and maintain electronic marketplace terms of service guidelines. CC ID 11523 [Establish terms of use and terms of service for GAI systems. GV-4.2-001]	Third Party and supply chain oversight	Technical Security
Include the prohibition of counterfeiting in the electronic marketplace terms of service guidelines. CC ID 11524	Third Party and supply chain oversight	Technical Security
Enforce the electronic marketplace terms of service guidelines. CC ID 11525	Third Party and supply chain oversight	Technical Security