Hop And Haul Policies

Appearance

Control Mapping Matrix

Document ID: PLCY-FED-005
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team

CONFIDENTIAL

This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.

1. Purpose

This document provides a comprehensive mapping between NIST 800-53 Rev 5 controls, SOC 2 Trust Service Criteria (TSC), and Hop And Haul policy documents. It serves as the authoritative cross-reference for federal compliance and audit activities.

2. NIST 800-53 to SOC 2 TSC Mapping

2.1 Access Control (AC) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
AC-1Policy and ProceduresCC1.1, CC5.2PLCY-ACC-001, PLCY-NIST-AC-001Implemented
AC-2Account ManagementCC6.1, CC6.2PLCY-ACC-001Implemented
AC-2(1)Automated System Account ManagementCC6.1PLCY-ACC-001Implemented
AC-2(2)Automated Temporary Account RemovalCC6.1PLCY-SEC-001 (3.3)Implemented
AC-2(3)Disable AccountsCC6.1PLCY-ACC-001Implemented
AC-2(4)Automated Audit ActionsCC6.1, CC7.2PLCY-AUD-001Implemented
AC-3Access EnforcementCC6.1, CC6.3PLCY-SEC-001 (3.1)Implemented
AC-4Information Flow EnforcementCC6.1PLCY-SEC-001 (5.1)Implemented
AC-5Separation of DutiesCC5.1PLCY-ACC-001Implemented
AC-6Least PrivilegeCC6.1, CC6.3PLCY-ACC-001Implemented
AC-6(1)Authorize Access to Security FunctionsCC6.3PLCY-ACC-001Implemented
AC-6(2)Non-privileged Access for Non-security FunctionsCC6.3PLCY-ACC-001Implemented
AC-6(5)Privileged AccountsCC6.1PLCY-ACC-001Implemented
AC-6(9)Log Use of Privileged FunctionsCC7.2PLCY-AUD-001Implemented
AC-6(10)Prohibit Non-privileged Users from Executing Privileged FunctionsCC6.3PLCY-ACC-001Implemented
AC-7Unsuccessful Logon AttemptsCC6.1PLCY-SEC-001 (7.2)Implemented
AC-8System Use NotificationCC6.1PLCY-SEC-001Implemented
AC-11Device LockCC6.1PLCY-SEC-001 (3.4)Implemented
AC-12Session TerminationCC6.1PLCY-SEC-001 (3.3)Implemented
AC-14Permitted Actions Without IdentificationCC6.1PLCY-SEC-001Implemented
AC-17Remote AccessCC6.1, CC6.6PLCY-SEC-001 (9)Implemented
AC-17(1)Monitoring and ControlCC6.6PLCY-SEC-001, PLCY-AUD-001Implemented
AC-17(2)Protection of Confidentiality and IntegrityCC6.6, CC6.7PLCY-SEC-001 (4, 5)Implemented
AC-18Wireless AccessCC6.6PLCY-SEC-001Planned
AC-19Access Control for Mobile DevicesCC6.1PLCY-SEC-001 (3.2)Implemented
AC-20Use of External SystemsCC6.6PLCY-NIST-SA-001Planned

2.2 Audit and Accountability (AU) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
AU-1Policy and ProceduresCC1.1, CC7.2PLCY-AUD-001, PLCY-NIST-AU-001Implemented
AU-2Event LoggingCC7.2PLCY-AUD-001Implemented
AU-3Content of Audit RecordsCC7.2PLCY-AUD-001Implemented
AU-3(1)Additional Audit InformationCC7.2PLCY-AUD-001Implemented
AU-4Audit Log Storage CapacityCC7.2PLCY-AUD-001Implemented
AU-5Response to Audit Logging Process FailuresCC7.2PLCY-AUD-001Implemented
AU-5(1)Storage Capacity WarningCC7.2PLCY-AUD-001Implemented
AU-6Audit Record Review, Analysis, and ReportingCC7.2, CC7.3PLCY-CTL-001Implemented
AU-6(1)Automated Process IntegrationCC7.2PLCY-AUD-001Implemented
AU-6(3)Correlate Audit Record RepositoriesCC7.2PLCY-AUD-001Planned
AU-7Audit Record Reduction and Report GenerationCC7.2PLCY-AUD-001Implemented
AU-8Time StampsCC7.2PLCY-AUD-001Implemented
AU-8(1)Synchronization with Authoritative Time SourceCC7.2PLCY-AUD-001Implemented
AU-9Protection of Audit InformationCC7.2PLCY-SEC-001 (7.3)Implemented
AU-9(4)Access by Subset of Privileged UsersCC7.2PLCY-AUD-001Implemented
AU-11Audit Record RetentionCC7.2PLCY-RET-001Implemented
AU-12Audit Record GenerationCC7.2PLCY-AUD-001Implemented

2.3 Configuration Management (CM) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
CM-1Policy and ProceduresCC1.1, CC8.1PLCY-SEC-001, PLCY-NIST-CMSI-001Implemented
CM-2Baseline ConfigurationCC8.1PLCY-DRP-001Implemented
CM-2(2)Automation Support for Accuracy and CurrencyCC8.1PLCY-DRP-001Planned
CM-3Configuration Change ControlCC8.1PLCY-SEC-001 (8)Implemented
CM-3(2)Testing, Validation, and DocumentationCC8.1PLCY-SEC-001 (8.2)Implemented
CM-4Impact AnalysisCC8.1PLCY-SEC-001 (8)Implemented
CM-5Access Restrictions for ChangeCC8.1PLCY-SEC-001 (8)Implemented
CM-6Configuration SettingsCC8.1PLCY-DRP-001Implemented
CM-7Least FunctionalityCC6.8PLCY-INF-001Implemented
CM-7(1)Periodic ReviewCC6.8PLCY-INF-001Implemented
CM-8System Component InventoryCC8.1-Gap
CM-10Software Usage RestrictionsCC8.1PLCY-SEC-001Implemented
CM-11User-installed SoftwareCC8.1PLCY-SEC-001Implemented

2.4 Contingency Planning (CP) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
CP-1Policy and ProceduresCC1.1, A1.2PLCY-DRP-001Implemented
CP-2Contingency PlanA1.2PLCY-DRP-001Implemented
CP-2(1)Coordinate with Related PlansA1.2PLCY-DRP-001Implemented
CP-2(3)Resume Mission FunctionsA1.2PLCY-DRP-001Implemented
CP-3Contingency TrainingA1.2PLCY-RSK-001Implemented
CP-4Contingency Plan TestingA1.2, A1.3PLCY-RSK-001, PLCY-DRP-001Implemented
CP-4(1)Coordinate with Related PlansA1.3PLCY-DRP-001Implemented
CP-6Alternate Storage SiteA1.2PLCY-DRP-001Implemented
CP-7Alternate Processing SiteA1.2PLCY-DRP-001Implemented
CP-9System BackupA1.2PLCY-DRP-001Implemented
CP-9(1)Testing for Reliability and IntegrityA1.3PLCY-DRP-001Implemented
CP-10System Recovery and ReconstitutionA1.2PLCY-DRP-001Implemented
CP-10(2)Transaction RecoveryA1.2PLCY-DRP-001Implemented

2.5 Identification and Authentication (IA) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
IA-1Policy and ProceduresCC1.1, CC6.1PLCY-SEC-001Implemented
IA-2Identification and AuthenticationCC6.1PLCY-SEC-001 (3.2)Implemented
IA-2(1)Multi-factor Authentication to Privileged AccountsCC6.1PLCY-SEC-001 (3.2)Implemented
IA-2(2)Multi-factor Authentication to Non-privileged AccountsCC6.1PLCY-SEC-001 (3.2)Implemented
IA-2(8)Access to Accounts - Replay ResistantCC6.1PLCY-SEC-001 (3.3)Implemented
IA-2(12)Acceptance of PIV CredentialsCC6.1-Gap
IA-4Identifier ManagementCC6.1PLCY-ACC-001Implemented
IA-5Authenticator ManagementCC6.1PLCY-SEC-001 (3.2)Implemented
IA-5(1)Password-based AuthenticationCC6.1PLCY-SEC-001Implemented
IA-5(2)PKI-based AuthenticationCC6.1PLCY-SEC-001Planned
IA-6Authenticator FeedbackCC6.1PLCY-SEC-001Implemented
IA-8Identification and Authentication (Non-organizational Users)CC6.1PLCY-SEC-001Implemented
IA-11Re-authenticationCC6.1PLCY-SEC-001 (3.4)Implemented

2.6 Incident Response (IR) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
IR-1Policy and ProceduresCC1.1, CC7.3PLCY-INC-001, PLCY-NIST-IR-001Implemented
IR-2Incident Response TrainingCC7.3PLCY-RSK-001Implemented
IR-3Incident Response TestingCC7.3, CC7.4PLCY-RSK-001Implemented
IR-4Incident HandlingCC7.3, CC7.4PLCY-INC-001Implemented
IR-4(1)Automated Incident Handling ProcessesCC7.3PLCY-INC-001Implemented
IR-5Incident MonitoringCC7.3PLCY-INC-001Implemented
IR-6Incident ReportingCC7.3, CC7.4PLCY-INC-001Implemented
IR-6(1)Automated ReportingCC7.3PLCY-INC-001Planned
IR-7Incident Response AssistanceCC7.3PLCY-INC-001Implemented
IR-8Incident Response PlanCC7.3PLCY-INC-001Implemented

2.7 Risk Assessment (RA) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
RA-1Policy and ProceduresCC1.1, CC3.1PLCY-RSK-001Implemented
RA-2Security CategorizationCC3.1PLCY-FED-002Implemented
RA-3Risk AssessmentCC3.2PLCY-RSK-001, PLCY-FED-003Implemented
RA-3(1)Supply Chain Risk AssessmentCC3.2PLCY-NIST-SA-001Planned
RA-5Vulnerability Monitoring and ScanningCC7.1PLCY-SEC-001 (6)Implemented
RA-5(2)Update Vulnerabilities to Be ScannedCC7.1PLCY-SEC-001 (6.1)Implemented
RA-5(5)Privileged AccessCC7.1PLCY-SEC-001Implemented
RA-7Risk ResponseCC3.2PLCY-RSK-001Implemented
RA-9Criticality AnalysisCC3.2PLCY-RSK-001Implemented

2.8 System and Communications Protection (SC) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
SC-1Policy and ProceduresCC1.1, CC6.6PLCY-SEC-001Implemented
SC-4Information in Shared System ResourcesCC6.1PLCY-SEC-001 (3.1)Implemented
SC-5Denial-of-service ProtectionA1.2PLCY-SEC-001 (9)Implemented
SC-7Boundary ProtectionCC6.6PLCY-SEC-001 (9)Implemented
SC-7(4)External Telecommunications ServicesCC6.6PLCY-SEC-001Implemented
SC-7(5)Deny by DefaultCC6.6PLCY-SEC-001Implemented
SC-8Transmission Confidentiality and IntegrityCC6.6, CC6.7PLCY-SEC-001 (4.2)Implemented
SC-8(1)Cryptographic ProtectionCC6.6PLCY-SEC-001 (4.2)Implemented
SC-10Network DisconnectCC6.1PLCY-SEC-001 (3.3)Implemented
SC-12Cryptographic Key Establishment and ManagementCC6.6PLCY-SEC-001 (4.3)Implemented
SC-13Cryptographic ProtectionCC6.6PLCY-SEC-001 (4)Partial (Gap: FIPS 140-2)
SC-15Collaborative Computing DevicesCC6.1PLCY-SEC-001Implemented
SC-17Public Key Infrastructure CertificatesCC6.6PLCY-SEC-001Implemented
SC-20Secure Name/Address Resolution ServiceCC6.6PLCY-SEC-001Implemented
SC-21Secure Name/Address Resolution Service (Recursive)CC6.6PLCY-SEC-001Implemented
SC-22Architecture and Provisioning for Name/AddressCC6.6PLCY-SEC-001Implemented
SC-23Session AuthenticityCC6.1PLCY-SEC-001 (3.3)Implemented
SC-28Protection of Information at RestCC6.1, C1.1PLCY-SEC-001 (4.1)Implemented
SC-28(1)Cryptographic ProtectionCC6.1PLCY-SEC-001 (4.1)Implemented

2.9 System and Information Integrity (SI) Family

NIST ControlControl NameSOC 2 TSCHop And Haul PolicyStatus
SI-1Policy and ProceduresCC1.1, CC7.1PLCY-SEC-001, PLCY-NIST-CMSI-001Implemented
SI-2Flaw RemediationCC7.1PLCY-SEC-001 (6)Implemented
SI-2(2)Automated Flaw Remediation StatusCC7.1PLCY-SEC-001 (6.2)Implemented
SI-3Malicious Code ProtectionCC7.1PLCY-SEC-001Implemented
SI-4System MonitoringCC7.2PLCY-SEC-001 (7)Implemented
SI-4(2)Automated Tools and MechanismsCC7.2PLCY-SEC-001 (7)Implemented
SI-4(4)Inbound and Outbound Communications TrafficCC7.2PLCY-SEC-001Implemented
SI-4(5)System-generated AlertsCC7.2PLCY-SEC-001 (7.2)Implemented
SI-5Security Alerts, Advisories, and DirectivesCC7.1PLCY-INC-001Implemented
SI-7Software, Firmware, and Information IntegrityCC8.1-Gap
SI-10Information Input ValidationPI1.1PLCY-SEC-001 (5.2)Implemented
SI-11Error HandlingPI1.1PLCY-SEC-001Implemented
SI-12Information Management and RetentionC1.2, PI1.5PLCY-RET-001Implemented
SI-16Memory ProtectionCC7.1PLCY-SEC-001Implemented

3. FedRAMP Moderate Baseline Coverage Summary

3.1 Coverage by Control Family

FamilyTotal RequiredImplementedPlannedGap% Complete
AC (Access Control)25203280%
AT (Awareness & Training)642067%
AU (Audit & Accountability)16151094%
CA (Assessment & Authorization)954056%
CM (Configuration Management)1191182%
CP (Contingency Planning)13121092%
IA (Identification & Authentication)12101183%
IR (Incident Response)1091090%
MA (Maintenance)642067%
MP (Media Protection)862075%
PE (Physical & Environmental)20Inherited--100%
PL (Planning)972078%
PM (Program Management)16124075%
PS (Personnel Security)9Inherited--100%
RA (Risk Assessment)981089%
SA (System & Services Acquisition)22146264%
SC (System & Communications)41327278%
SI (System & Information Integrity)23184178%
SR (Supply Chain Risk)1274158%
TOTAL~325~220~90~15~68%

3.2 Gap Summary

Gap IDControlDescriptionRemediation Phase
GAP-01SC-13FIPS 140-2 validated cryptographic modulesPhase 3
GAP-02IA-2(12)PIV/CAC authenticationPhase 3
GAP-03CM-8Automated component inventoryPhase 2
GAP-04SI-7Software/firmware integrity verificationPhase 3
GAP-05SA-4Formal acquisition security requirementsPhase 2
GAP-06AC-18Wireless access controlsPhase 2
GAP-07AC-20External system use policyPhase 2
GAP-08SA-9External system services assessmentPhase 2
GAP-09SR-3Supply chain controls and processesPhase 3

4. SOC 2 TSC to NIST 800-53 Reverse Mapping

4.1 Common Criteria (CC) to NIST

SOC 2 CriteriaDescriptionNIST 800-53 Controls
CC1.1Control EnvironmentAC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1, PS-1, RA-1, SA-1, SC-1, SI-1
CC2.1Information and CommunicationPL-4, PS-6, SA-5
CC3.1Risk AssessmentRA-1, RA-2, RA-3
CC3.2Risk MitigationRA-3, RA-7
CC5.1Control ActivitiesAC-5
CC5.2Policies and ProceduresAll -1 controls
CC6.1Logical AccessAC-2, AC-3, AC-5, AC-6, AC-7, AC-11, AC-12, IA-2, IA-4, IA-5, SC-4, SC-28
CC6.2Access AuthorizationAC-2
CC6.3Access EnforcementAC-3, AC-6
CC6.6External ThreatsAC-17, SC-7, SC-8, SC-12, SC-13
CC6.7Transmission ProtectionSC-8
CC6.8Malicious SoftwareCM-7, SI-3
CC7.1Vulnerability ManagementRA-5, SI-2
CC7.2System MonitoringAU-2, AU-3, AU-6, AU-7, AU-9, AU-12, SI-4
CC7.3Incident ResponseIR-4, IR-5, IR-6, IR-7, IR-8
CC7.4Incident RecoveryIR-4, IR-6
CC8.1Change ManagementCM-2, CM-3, CM-4, CM-5, CM-6, CM-8

4.2 Availability (A1) to NIST

SOC 2 CriteriaDescriptionNIST 800-53 Controls
A1.1Capacity ManagementCP-2, SC-5
A1.2Recovery OperationsCP-2, CP-6, CP-7, CP-9, CP-10
A1.3Recovery TestingCP-4

4.3 Confidentiality (C1) to NIST

SOC 2 CriteriaDescriptionNIST 800-53 Controls
C1.1Data ProtectionSC-28
C1.2Data DisposalMP-6, SI-12

4.4 Processing Integrity (PI1) to NIST

SOC 2 CriteriaDescriptionNIST 800-53 Controls
PI1.1Input ValidationSI-10
PI1.2Processing AccuracySI-10
PI1.3Output ReviewSI-10
PI1.5Data RetentionSI-12

5. Document References

Document IDTitleControls Mapped
PLCY-SEC-001Security ControlsAC, SC, CM, SI
PLCY-ACC-001Access Control MatrixAC
PLCY-AUD-001Audit Trail SpecsAU
PLCY-INC-001Incident ResponseIR
PLCY-DRP-001Disaster RecoveryCP, CM
PLCY-RSK-001Risk AssessmentRA, PM
PLCY-RET-001Records RetentionAU-11, SI-12
PLCY-INF-001Infrastructure SizingCM-7
PLCY-CTL-001Control TestingCA, AU-6

6. Document Control

VersionDateAuthorChanges
1.0December 30, 2025Hop And Haul TeamInitial release

CONFIDENTIAL - Internal Use Only - Hop And Haul Policy Documentation

Hop And Haul Team - Do Not Distribute