Federal Information Security Management Act of 2002/Catalogs

Baseline common controls at low impact
A low-impact system must have impairment to availability, confidentiality and integrity all rated in the low category of FIPS 199: "limited adverse effect on organizational operations, organizational assets, or individuals," causing minor degradation, financial loss, or harm to individuals.


 * Access control
 * AC-1, Access Control Policies and Procedures
 * AC-2, Account management
 * AC-3, Access enforcement
 * AC-7, unsuccessful login attempts
 * AC-8, system use notification
 * AC-14, permitted use without identification or authentication
 * AC-17, remote access controls
 * AC-18, wireless access controls
 * AC-19, access controls for mobile devices
 * AC-20, external information systems
 * AC-22, publicly accessible content
 * Awareness and training
 * Audit and accountability
 * Security assessment and authorization
 * Configuration management
 * Contingency planning
 * Identification and authentication
 * Incident response
 * Maintenance
 * Media protection
 * Physical and environmental protection
 * Security planning
 * Personnel security
 * Information system risk assessment
 * Information system and services acquisition
 * Information system and communications protection
 * Information system and integity
 * SI-1, policy and procedures
 * SI-2, flaw remediation
 * SI-3, Malicious code protection