Transcription
DFARS Compliance OverviewCONFIDENTIALThis document and the information set forth hereinare the proprietary property of Egnyte, and are to beheld in confidence. No part of this document may becopied, reproduced or disclosed to third partieswithout the expressed written consent of Egnyte.Document Version: 1.0Origination Date: 12/31/2017Revision Date: 01/12/2017Author: Kris LahiriStatus: Approved
IntroductionEgnyte recognizes that some of our customers may be subject to the new DFARS Department of Defense (DoD)requirements that came into effect on 12/31/2017.On October 21, 2016, the Department of Defense (DoD) issued its Final Rule amending the Defense Federal AcquisitionRegulation Supplement (DFARS) and imposing safeguarding and cyber incident reporting obligations on defensecontractors whose information systems process, store, or transmit covered defense information (CDI).The final DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)specifies safeguards to include cyber incident reporting requirements and additional considerations for cloud serviceproviders.The DFARS clause 252.204-7012 leverages the NIST 800-171 “Protecting Controlled Unclassified Information inNonfederal Information Systems and Organizations” standard, for the implementation of the associated controlsrequired by the regulation.Egnyte SolutionsEgnyte Connect is designed with business in mind, so IT can focus on security & performance, while users can access alltheir content from their desktop, mobile and browser.Egnyte Protect is the industry’s first cloud-based content governance solution. It provides you with powerful and easyto-use tools to protect your employee and customer privacy, intellectual property, and confidential information. EgnyteProtect finds where your sensitive content is and centrally enforces your access policies across content repositories tomaximize control and security.DFARS ComplianceEgnyte currently does not deal directly with DoD customers, however has been requested by several customers to beDFARS compliant. Although DFARS does not directly regulate Egnyte, Egnyte is considered within the supply chain or“flow down” from customers who do have DoD customers.Egnyte will not directly receive Controlled Unclassified Information (CUI). Any CUI placed within the Egnyte platform isnot accessible due to the transmission and storage encryption mechanisms Egnyte has in place on all productionsystems.With that said, Egnyte has drafted this overview to provide our customers with a mapping based on NIST 800-171Appendix D tables containing the 109 control requirements and has mapped our policies, procedures and controls thatare in place under the ISO27001 and ISO27018 certifications.These mappings provide assurance to our customers impacted by DFARS that Egnyte has the necessary controls in placeto meet the NIST 800-171 control requirements through the implementation of the ISO27001 controls. Egnyte does notexclude any ISO27001 or ISO27018 controls under the certification and has been in place since 2015.Egnyte is currently also undergoing SSAE18 SOC 2 Type 2 attestation in 2018 utilizing many of the same controls thatwould be leveraged for NIST 800-171.
NIST 800-171 Standards - Egnyte Process Area MappingThe table below is derived from Appendix D within the NIST 800-171 standard available 800-171/rev-1/finalNIST 800-171, with the applicable Egnyte process area mapped to the controls.NIST 800-171 leverages NIST 800-53 Moderate controls for its implemented requirements.NIST800-171ControlNumberControl FamilyControl TextEgnyte ProcessMappingNIST 800-53MappingAccess ControlLimit system access to authorizedusers, processes acting on behalf ofauthorized users, or devices (includingother systems).Access ControlPolicy andProcedureAC-2, AC-3, AC173.1.2Access ControlLimit system access to the types oftransactions and functions thatauthorized users are permitted toexecute.Access ControlPolicy andProcedureAC-2, AC-3, AC173.1.3Access ControlControl the flow of CUI in accordancewith approved authorizations.Access ControlPolicy .18.1.3A.13.1.3,A.13.2.1,A.14.1.2,A.14.1.3
Access ControlSeparate the duties of individuals toreduce the risk of malevolent activitywithout collusion.Access ControlPolicy andProcedureAC-53.1.5Access ControlEmploy the principle of least privilege,including for specific security functionsand privileged accounts.Access ControlPolicy andProcedureAC-6, AC-6(1),AC-6(5)3.1.6Access ControlUse non-privileged accounts or roleswhen accessing nonsecurity functions.Access ControlPolicy andProcedureAC-6(2)3.1.7Access ControlPrevent non-privileged users fromexecuting privileged functions andaudit the execution of such functions.Access ControlPolicy andProcedureAC-6(9), AC-6(10)3.1.8Access ControlLimit unsuccessful logon attempts.Access ControlPolicy andProcedureAC-7A.9.4.23.1.9Access ControlProvide privacy and security noticesconsistent with applicable CUI rules.Access ControlPolicy andProcedureAC-9A.9.4.23.1.10Access ControlUse session lock with pattern-hidingdisplays to prevent access and viewingof data after period of inactivity.Access ControlPolicy andProcedureAC-11, AC-11(1)A.11.2.8,A.11.2.93.1.11Access ControlTerminate (automatically) a usersession after a defined condition.Access ControlPolicy .2A.6.2.1,A.13.1.1,A.13.2.13.1.12Access ControlMonitor and control remote accesssessions.Access ControlPolicy andProcedure3.1.13Access ControlEmploy cryptographic mechanisms toprotect the confidentiality of remoteaccess sessions.Access ControlPolicy andProcedureAC-17(2)3.1.14Access ControlRoute remote access via managedaccess control points.Access ControlPolicy andProcedureAC-17(3)Access ControlAuthorize remote execution ofprivileged commands and remoteaccess to security-relevantinformation.Access ControlPolicy andProcedureAC-17(4)3.1.16Access ControlAuthorize wireless access prior toallowing such connections.Access ControlPolicy andProcedureAC-183.1.17Access ControlProtect wireless access usingauthentication and encryption.Access ControlPolicy 8Access ControlControl connection of mobile devices.Mobile DevicePolicy andProcedureAC-19A.6.2.1,A.11.2.6,A.13.2.13.1.15
Access ControlEncrypt CUI on mobile devices andmobile computing platforms.Mobile DevicePolicy andProcedure3.1.20Access ControlVerify and control/limit connections toand use of external systems.3.1.21Access Control3.1.22Access Control3.1.193.2.1Awareness andTraining3.2.2Awareness andTraining3.2.3Awareness andTrainingAC-19(5)A.6.2.1,A.11.2.6,A.13.2.1Access ControlPolicy andProcedureAC-20, AC-20(1)A.11.2.6,A.13.1.1,A.13.2.1Limit use of organizational portablestorage devices on external systems.Access ControlPolicy rol CUI posted or processed onpublicly accessible systems.Access ControlPolicy andProcedureAC-22NoneAwareness andTrainingAT-2, AT-3A.7.2.2,A.12.2.1Awareness andTrainingAT-2, AT-3A.7.2.2,A.12.2.1Awareness andTrainingAT-2(2)A.7.2.2,A.12.2.1Audit andAccountabilityAU-2, AU-3, AU3(1), AU-6, AU12A.12.4.1,A.12.4.3,A.16.1.2,A.16.1.4Audit andAccountabilityAU-2, AU-3, AU3(1), AU-6, AU12A.12.4.1,A.12.4.3,A.16.1.2,A.16.1.4Ensure that managers, systemsadministrators, and users oforganizational systems are madeaware of the security risks associatedwith their activities and of theapplicable policies, standards, andprocedures related to the security ofthose systems.Ensure that organizational personnelare adequately trained to carry outtheir assigned information securityrelated duties and responsibilities.Provide security awareness training onrecognizing and reporting potentialindicators of insider threat.Create, protect, and retain systemaudit records to the extent needed toenable the monitoring, analysis,investigation, and reporting ofunlawful, unauthorized, orinappropriate system activity.Ensure that the actions of individualsystem users can be uniquely traced tothose users so they can be heldaccountable for their actions.3.3.1Audit andAccountability3.3.2Audit andAccountability3.3.3Audit andAccountabilityReview and update audited events.Audit andAccountabilityAU-2(3)None3.3.4Audit andAccountabilityAlert in the event of an audit processfailure.Audit andAccountabilityAU-5NoneAudit andAccountabilityAU-6(1), AU-6(3)A.12.4.1,A.16.1.2,A.16.1.4Audit andAccountabilityAU-7NoneAudit andAccountabilityAU-8, AU-8(1)A.12.4.43.3.5Audit andAccountability3.3.6Audit andAccountability3.3.7Audit andAccountabilityCorrelate audit review, analysis, andreporting processes for investigationand response to indications ofinappropriate, suspicious, or unusualactivity.Provide audit reduction and reportgeneration to support on-demandanalysis and reporting.Provide a system capability thatcompares and synchronizes internalsystem clocks with an authoritativesource to generate time stamps foraudit records.
Protect audit information and audittools from unauthorized access,modification, and deletion.AU-9A.12.4.2,A.12.4.3,A.18.1.3Audit ConfigurationManagementPolicy andProcedureCM-2, CM-6, CM8, CM-8(1)A.8.1.1,A.8.1.2CM-2, CM-6, CM8, .3,A.14.2.4CM-4A.14.2.33.3.8Audit andAccountability3.3.9Audit tTrack, review, approve/disapprove,and audit changes to Analyze the security impact of changesprior to implementation.3.4.5ConfigurationManagementDefine, document, approve, andenforce physical and logical accessrestrictions associated with changes toorganizational systems.ConfigurationManagementPolicy andProcedureCM-53.4.6ConfigurationManagementEmploy the principle of leastfunctionality by configuringorganizational systems to provide onlyessential capabilities.ConfigurationManagementPolicy ct, disable, and prevent the useof nonessential programs, functions,ports, protocols, and services.ConfigurationManagementPolicy andProcedureCM-7(1), CM7(2)3.4.8ConfigurationManagementApply deny-by-exception (blacklist)policy to prevent the use ofunauthorized software or deny-all,permit-by-exception (whitelisting)policy to allow the execution ofauthorized software.ConfigurationManagementPolicy andProcedureCM-7(4), CM7(5)3.4.9ConfigurationManagementControl and monitor cy ion andAuthenticationIdentify system users, processes actingon behalf of users, or devices.Access ControlPolicy andProcedureIA-2, IA-5A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.3Limit management of auditfunctionality to a subset of privilegedusers.Establish and maintain baselineconfigurations and inventories oforganizational systems (includinghardware, software, firmware, anddocumentation) throughout therespective system development lifecycles.Establish and enforce securityconfiguration settings for informationtechnology products employed inorganizational systems.Audit andAccountabilityConfigurationManagementPolicy andProcedureConfigurationManagementPolicy andProcedureConfigurationManagementPolicy .5.1A.12.5.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)A.12.5.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)A.12.5.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)
Authenticate (or verify) the identitiesof those users, processes, or devices,as a prerequisite to allowing access toorganizational systems.Use multifactor authentication for localand network access to privilegedaccounts and for network access tonon-privileged accounts.Employ replay-resistant authenticationmechanisms for network access toprivileged and non-privileged accounts.Access ControlPolicy andProcedureIA-2, IA-5A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.3Access ControlPolicy andProcedureIA-2(1), IA-2(2),IA-2(3)A.9.2.1Access ControlPolicy andProcedureIA-2(8), IA-2(9)A.9.2.13.5.2Identification andAuthentication3.5.3Identification andAuthentication3.5.4Identification andAuthentication3.5.5Identification andAuthenticationPrevent reuse of identifiers for adefined period.Access ControlPolicy andProcedureIA-4A.9.2.13.5.6Identification andAuthenticationDisable identifiers after a definedperiod of inactivity.Access ControlPolicy andProcedureIA-4A.9.2.13.5.7Identification andAuthenticationEnforce a minimum passwordcomplexity and change of characterswhen new passwords are created.Password Policyand ProcedureIA-5(1)3.5.8Identification andAuthenticationProhibit password reuse for a specifiednumber of generations.Password Policyand ProcedureIA-5(1)3.5.9Identification andAuthenticationAllow temporary password use forsystem logons with an immediatechange to a permanent password.Password Policyand ProcedureIA-5(1)3.5.10Identification andAuthenticationStore and transmit onlycryptographically-protectedpasswords.Password Policyand ProcedureIA-5(1)3.5.11Identification andAuthenticationObscure feedback of authenticationinformation.Password Policyand ProcedureIA-5(1)Incident ResponseEstablish an operational incidenthandling capability for organizationalsystems that includes adequatepreparation, detection, analysis,containment, recovery, and userresponse activities.IncidentManagementPolicy andProcedureIR-2, IR-4, IR-5,IR-6, IR-7Incident ResponseTrack, document, and report incidentsto appropriate officials and/orauthorities both internal and externalto the organization.IncidentManagementPolicy andProcedureIR-2, IR-4, IR-5,IR-6, 2.4,A.9.3.1,A.9.4.3A.6.1.3,A.7.2.2 (ISOControldoesn'tcompletelymatch .1.3,A.7.2.2 (ISOControldoesn'tcompletelymatch NIST800-53),A.16.1.2,A.16.1.4,
.63.8.13.8.2Incident ResponseTest the organizational incidentresponse capability.IncidentManagementPolicy andProcedureIR-3, IR-3(2)NoneA.11.2.4,A.11.2.5 (ISOControlsdon'tcompletelymatch NIST800-53)A.11.2.4,A.11.2.5 (ISOControlsdon'tcompletelymatch NIST800-53)A.11.2.4,A.11.2.5 (ISOControlsdon'tcompletelymatch NIST800-53)MaintenancePerform maintenance onorganizational systems.AssetManagementPolicy andProcedureMA-2, MA-3,MA-3(1), MA3(2)MaintenanceProvide effective controls on the tools,techniques, mechanisms, andpersonnel used to conduct systemmaintenance.AssetManagementPolicy andProcedureMA-2, MA-3,MA-3(1), MA3(2)MaintenanceEnsure equipment removed for off-sitemaintenance is sanitized of any CUI.AssetManagementPolicy andProcedureMA-2AssetManagementPolicy andProcedureMA-3(2)NoneAssetManagementPolicy andProcedureMA-4NoneMA-5NoneMP-2, MP-4, MP6A.8.2.3,A.8.3.1,A.8.3.2,A.11.2.7,A.11.2.9MP-2, MP-4, nanceMaintenanceCheck media containing diagnostic andtest programs for malicious codebefore the media are used inorganizational systems.Require multifactor authentication toestablish nonlocal maintenancesessions via external networkconnections and terminate suchconnections when nonlocalmaintenance is complete.MaintenanceSupervise the maintenance activities ofmaintenance personnel withoutrequired access authorization.Media ProtectionProtect (i.e., physically control andsecurely store) system mediacontaining CUI, both paper and digital.Media ProtectionLimit access to CUI on system media toauthorized users.AssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedure
3.8.3Media ProtectionSanitize or destroy system mediacontaining CUI before disposal orrelease for reuse.3.8.4Media ProtectionMark media with necessary CUImarkings and distribution limitations.Media ProtectionControl access to media containing CUIand maintain accountability for mediaduring transport outside of controlledareas.3.8.6Media ProtectionImplement cryptographic mechanismsto protect the confidentiality of CUIstored on digital media duringtransport unless otherwise protectedby alternative physical safeguards.3.8.7Media ProtectionControl the use of removable media onsystem components.3.8.8Media ProtectionProhibit the use of portable storagedevices when such devices have noidentifiable owner.3.8.9Media ProtectionProtect the confidentiality of backupCUI at storage locations.3.9.1Personnel Security3.9.2Personnel SecurityScreen individuals prior to authorizingaccess to organizational systemscontaining CUI.Ensure that CUI and organizationalsystems containing CUI are protectedduring and after personnel actionssuch as terminations and transfers.Limit physical access to organizationalsystems, equipment, and therespective operating environments toauthorized individuals.3.8.53.10.1Physical ProtectionData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureData ClassificationPolicy andProcedureAssetManagementPolicy andProcedureMP-2, MP-4, -7A.8.2.3,A.8.3.1MP-7(1)A.8.2.3,A.8.3.1Backup Policy andProcedureCP-9A.12.3.1,A.17.1.2,A.18.1.3Human ResourcesPolicy andProcedurePS-3, PS-4, PS-5A.7.1.1,A.7.3.1,A.8.1.4Human ResourcesPolicy andProcedurePS-3, PS-4, PS-5A.7.1.1,A.7.3.1,A.8.1.4Physical &EnvironmentalSecurity Policyand ProcedurePE-2, PE-5, PE-6A.11.1.2,A.11.1.3
3.10.2Physical ProtectionProtect and monitor the physicalfacility and support infrastructure fororganizational systems.3.10.3Physical ProtectionEscort visitors and monitor visitoractivity.3.10.4Physical ProtectionMaintain audit logs of physical access.3.10.5Physical ProtectionControl and manage physical accessdevices.3.10.6Physical ProtectionEnforce safeguarding measures for CUIat alternate work sites (e.g., teleworksites).3.11.13.11.23.11.3Risk AssessmentRisk AssessmentRisk AssessmentPeriodically assess the risk toorganizational operations (includingmission, functions, image, orreputation), organizational assets, andindividuals, resulting from theoperation of organizational systemsand the associated processing, storage,or transmission of CUI.Scan for vulnerabilities inorganizational systems andapplications periodically and whennew vulnerabilities affecting thosesystems and applications areidentified.Remediate vulnerabilities inaccordance with assessments of risk.Periodically assess the security controlsin organizational systems to determineif the controls are effective in theirapplication.Develop and implement plans of actiondesigned to correct deficiencies andreduce or eliminate vulnerabilities inorganizational systems.Physical &EnvironmentalSecurity Policyand ProcedurePhysical &EnvironmentalSecurity Policyand ProcedurePhysical &EnvironmentalSecurity Policyand ProcedurePhysical &EnvironmentalSecurity Policyand ProcedureBCP DR Policy andProcedureRemote AccessPolicy andProcedureInformationSecurityGovernancePolicy A-3A.12.6.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)ConfigurationManagementPolicy andProcedureRA-5, RA-5(5)ConfigurationManagementPolicy andProcedureRA-5Compliance Policyand ProcedureCA-2, CA-5, CA-7Compliance Policyand ProcedureCA-2, CA-5, CA-7CA-2, CA-5, CA-73.12.1Security Assessment3.12.2Security Assessment3.12.3Security AssessmentMonitor security controls on anongoing basis to ensure the continuedeffectiveness of the controls.Compliance Policyand ProcedureSecurity AssessmentDevelop, document, and periodicallyupdate system security plans thatdescribe system boundaries, systemenvironments of operation, howsecurity requirements areCompliance Policyand Procedure3.12.4PE-2, PE-5, PE-6A.12.6.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)A.12.6.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)A.14.2.8,A.18.2.2,A.18.2.3 (forCA-2 only)A.14.2.8,A.18.2.2,A.18.2.3 (forCA-2 only)A.14.2.8,A.18.2.2,A.18.2.3 (forCA-2 only)
implemented, and the relationshipswith or connections to other systems.SC-7, 14.1.2,A.14.1.3SC-7, -2NoneSC-4NoneSC-7, 3.1.1,A.13.1.3,A.13.2.1,A.14.1.3Cryptographic &Key ManagementPolicy andProcedureSC-8, ,A.14.1.3Access ControlPolicy andProcedureSC-10A.13.1.1System andCommunicationsProtectionMonitor, control, and protectcommunications (i.e., informationtransmitted or received byorganizational systems) at the externalboundaries and key internalboundaries of organizational systems.3.13.2System andCommunicationsProtectionEmploy architectural designs, softwaredevelopment techniques, and systemsengineering principles that promoteeffective information security withinorganizational systems.3.13.3System andCommunicationsProtectionSeparate user functionality fromsystem management functionality.3.13.4System andCommunicationsProtectionPrevent unauthorized and unintendedinformation transfer via shared systemresources.3.13.5System andCommunicationsProtectionImplement subnetworks for publiclyaccessible system components that arephysically or logically separated frominternal networks.3.13.6System andCommunicationsProtectionDeny network communications trafficby default and allow networkcommunications traffic by exception(i.e., deny all, permit by exception).System andCommunicationsProtectionPrevent remote devices fromsimultaneously establishing nonremote connections withorganizational systems andcommunicating via some otherconnection to resources in externalnetworks.Remote AccessPolicy andProcedure3.13.8System andCommunicationsProtectionImplement cryptographic mechanismsto prevent unauthorized disclosure ofCUI during transmission unlessotherwise protected by alternativephysical safeguards.3.13.9System andCommunicationsProtectionTerminate network connectionsassociated with communicationssessions at the end of the sessions orafter a defined period of inactivity.3.13.13.13.7InfrastructureSecurity Policyand ProcedureProduction AccessPolicy andProcedureInfrastructureSecurity Policyand ProcedureProduction AccessPolicy andProcedureInfrastructureSecurity Policyand ProcedureProduction AccessPolicy andProcedureInfrastructureSecurity Policyand ProcedureProduction AccessPolicy andProcedureInfrastructureSecurity Policyand ProcedureProduction AccessPolicy andProcedureInfrastructureSecurity Policyand ProcedureProduction AccessPolicy andProcedure
Cryptographic &Key ManagementPolicy andProcedureCryptographic &Key ManagementPolicy andProcedure3.13.10System andCommunicationsProtectionEstablish and manage cryptographickeys for cryptography employed inorganizational systems;3.13.11System andCommunicationsProtectionEmploy FIPS-validated cryptographywhen used to protect theconfidentiality of CUI.3.13.12System andCommunicationsProtectionProhibit remote activation ofcollaborative computing devices andprovide indication of devices in use tousers present at the device.Remote AccessPolicy andProcedureSC-153.13.13System andCommunicationsProtectionControl and monitor the use of mobilecode.Anti-Virus,Malware Policyand ProcedureSC-18None3.13.14System andCommunicationsProtectionControl and monitor the use of Voiceover Internet Protocol (VoIP)technologies.SC-19None3.13.15System andCommunicationsProtectionProtect the authenticity ofcommunications sessions.SC-23NoneInfrastructureSecurity Policyand ProcedureCryptographic &Key ManagementPolicy andProcedureSC-12SC-133.13.16System andCommunicationsProtectionProtect the confidentiality of CUI atrest.Cryptographic &Key ManagementPolicy andProcedure3.14.1System andInformationIntegrityIdentify, report, and correctinformation and system flaws in atimely manner.IncidentManagementPolicy andProcedureSI-2, SI-3, SI-53.14.2System andInformationIntegrityProvide protection from maliciouscode at appropriate locations withinorganizational systems.Anti-Virus,Malware Policyand ProcedureSI-2, SI-3, SI-53.14.3System andInformationIntegrityMonitor system security alerts andadvisories and take appropriate actionsin response.Monitoring andLogging Policyand ProcedureSI-2, SI-3, .5A.13.2.1 (ISOcontroldoesn'tcompletelymatch NIST800-53)A.8.2.3 (ISOcontroldoesn'tcompletelymatch NIST800-53)A.6.1.4 (ISOcontroldoesn'tcompletelymatch 16.1.3A.6.1.4 (ISOcontroldoesn'tcompletelymatch 16.1.3A.6.1.4 (ISOcontroldoesn'tcompletelymatch NIST800-53),
System andInformationIntegrity3.14.5System andInformationIntegrity3.14.6System andInformationIntegrity3.14.7System andInformationIntegrityUpdate malicious code protectionmechanisms when new releases areavailable.Perform periodic scans oforganizational systems and real-timescans of files from external sources asfiles are downloaded, opened, orexecuted.Monitor organizational systemsincluding inbound and outboundcommunications traffic, to detectattacks and indicators of potentialattacks.Identify unauthorized use oforganizational systems.Anti-Virus,Malware Policyand ProcedureSI-3A.12.2.1System andInformationIntegritySI-3A.12.2.1System andInformationIntegritySI-4, SI-4(4)NoneSystem andInformationIntegritySI-4None
NIST 800-171, with the applicable Egnyte process area mapped to the controls. NIST 800-171 leverages NIST 800-53 Moderate controls for its implemented requirements. NIST 800-171 Control Number Control Family Control Text Egnyte Process Mapping NIST 800-53 Mapping ISO 27002:2013
