From 0153500e805c37ea522c1acce620dc0499b41cc3 Mon Sep 17 00:00:00 2001
From: Wendell Piez <wendell.piez@nist.gov>
Date: Tue, 27 Aug 2019 16:15:37 -0400
Subject: [PATCH] Cleanup of models and data (#476)

* Schematron now reports duplicate definitions in a Metaschema as an error: see #465, #475

* Catalog metaschema and SP800-53 catalog adjustments renaming 'subcontrol' to 'control' per Issue #473

* Refactored metaschemas to avoid definition clashes; more/better Schematron to detect such clashes

* Adding new module now required by catalog and profile metaschemas

* Revising profiles to be valid to newly revised schema (no more references to subcontrol elements only controls)

* Bug fix in Metaschema Schematron

* Delete FedRAMP_HIGH-baseline_profile.xml

* Delete FedRAMP_LOW-baseline_profile.xml

* Delete FedRAMP_MODERATE-baseline_profile.xml

* Create temp.txt

* Revised FedRAMP Profiles

These files include revisions to the FedRAMP baselines, plus a small FedRAMP catalog that provides three subcontrols added by FedRAMP.

* Delete temp.txt

* moved updated fedramp content to correct location

* New and improved FedRAMP profiles

* Repaired broken markdown conversion; added missing title content to FedRAMP catalog

* add note about b -> strong and i -> em (#9)

* Changed inline markup in FedRAMP profiles for lossless conversion

* One more adjustment in Markdown->XML conversion (images)

* One more time (cleaning up cleanup)
---
 build/metaschema/json/md-oscal-converter.xsl  |   59 +-
 build/metaschema/lib/metaschema-check.sch     |    7 +-
 .../documentation/schemas/datatypes.md        |    2 +
 .../xml/FedRAMP_HIGH-baseline_profile.xml     | 4270 ++++-------------
 .../xml/FedRAMP_LOW-baseline_profile.xml      |  458 +-
 .../xml/FedRAMP_MODERATE-baseline_profile.xml | 1224 +++--
 .../fedramp.gov/xml/FedRAMP_catalog.xml       |   97 +
 ...T_SP-800-53_rev4_HIGH-baseline_profile.xml |  346 +-
 ...ST_SP-800-53_rev4_LOW-baseline_profile.xml |   18 +-
 ...-800-53_rev4_MODERATE-baseline_profile.xml |  204 +-
 .../rev4/xml/NIST_SP-800-53_rev4_catalog.xml  | 2668 +++++-----
 src/metaschema/oscal_catalog_metaschema.xml   |  187 +-
 .../oscal_control_common_metaschema.xml       |  190 +
 ...oscal_implementation-common_metaschema.xml |    6 +-
 src/metaschema/oscal_profile_metaschema.xml   |  160 +-
 15 files changed, 4064 insertions(+), 5832 deletions(-)
 create mode 100644 src/content/fedramp.gov/xml/FedRAMP_catalog.xml
 create mode 100644 src/metaschema/oscal_control_common_metaschema.xml

diff --git a/build/metaschema/json/md-oscal-converter.xsl b/build/metaschema/json/md-oscal-converter.xsl
index 52bb262fab..0f1c97eeb8 100644
--- a/build/metaschema/json/md-oscal-converter.xsl
+++ b/build/metaschema/json/md-oscal-converter.xsl
@@ -11,6 +11,7 @@
     <xsl:param name="target-ns" as="xs:string?">http://csrc.nist.gov/ns/oscal/1.0</xsl:param>
 
     <xsl:template name="xsl:initial-template" match="/">
+        <!--<xsl:copy-of select="$tag-replacements"/>-->
         <!--<xsl:copy-of select="$examples"/>-->
         <xsl:call-template name="parse">
             <xsl:with-param name="markdown-str" select="string($examples)"/>
@@ -85,10 +86,12 @@
         <xsl:variable name="flat-structures">
             <xsl:apply-templates select="$rough-blocks" mode="mark-structures"/>
         </xsl:variable>
-        <!--<xsl:copy-of select="$flat-structures"/>-->
+        <!-- for debugging <xsl:copy-of select="$flat-structures"/>-->
+        
         <xsl:variable name="nested-structures">
             <xsl:apply-templates select="$flat-structures" mode="build-structures"/>
         </xsl:variable>
+        <!-- for debugging <xsl:copy-of select="$nested-structures"/>-->
         
         <xsl:variable name="fully-marked">
             <xsl:apply-templates select="$nested-structures" mode="infer-inlines"/>
@@ -239,10 +242,11 @@
         <xsl:param name="group" select="m:li"/>
 
         <xsl:variable name="this-type" select="$group[1]/@type"/>
-        <!-- first, splitting ul from ol groups -->
-        <xsl:for-each-group select="$group" group-starting-with="*[@level = $level and not(@type = preceding-sibling::*/@type)]">    
-            <xsl:element name="m:{ $group[1]/@type }" namespace="http://csrc.nist.gov/ns/oscal/1.0/md-convertor">
-            <xsl:for-each-group select="current-group()" group-starting-with="li[@level = $level]">
+         <!--first, splitting ul from ol groups -->
+        <!--<xsl:for-each-group select="$group" group-starting-with="*[@level = $level and not(@type = preceding-sibling::*[1]/@type)]">-->    
+        <!--<xsl:for-each-group select="$group" group-starting-with="*[@level = $level]">-->    
+        <xsl:element name="m:{ $group[1]/@type }" namespace="http://csrc.nist.gov/ns/oscal/1.0/md-convertor">
+            <xsl:for-each-group select="$group" group-starting-with="m:li[(@level = $level) or not(@type = preceding-sibling::*[1]/@type)]">
                 <xsl:choose>
                     <xsl:when test="@level = $level (: checking first item in group :)">
                         <m:li>
@@ -269,7 +273,7 @@
                 </xsl:choose>
             </xsl:for-each-group>
         </xsl:element>
-        </xsl:for-each-group>
+        <!--</xsl:for-each-group>-->
     </xsl:template>
 
     <xsl:template match="m:pre//text()" mode="infer-inlines">
@@ -363,10 +367,10 @@
             
             <q>"<text/>"</q>
             
-            <img         alt="!\[{{$text}}\]" src="\({{$text}}\)"/>
+            <img         alt="!\[{{$noclosebracket}}\]" src="\({{$nocloseparen}}\)"/>
             <insert param-id="\{{\{{{{$nws}}\}}\}}"/>
             
-            <a href="\[{{$text}}\]">\(<text/>\)</a>
+            <a href="\[{{$nocloseparen}}\]">\(<text not="\)"/>\)</a>
             <code>`<text/>`</code>
             <strong>
                 <em>\*\*\*<text/>\*\*\*</em>
@@ -402,6 +406,14 @@
         <xsl:value-of select="replace(., '\{\$text\}', '(.*)?')"/>
     </xsl:template>
     
+    <xsl:template match="@*[matches(., '\{\$nocloseparen\}')]" mode="write-match">
+        <xsl:value-of select="replace(., '\{\$nocloseparen\}', '([^\\(]*)?')"/>
+    </xsl:template>
+    
+    <xsl:template match="@*[matches(., '\{\$noclosebracket\}')]" mode="write-match">
+        <xsl:value-of select="replace(., '\{\$noclosebracket\}', '([^\\[]*)?')"/>
+    </xsl:template>
+    
     <xsl:template match="@*[matches(., '\{\$nws\}')]" mode="write-match">
         <!--<xsl:value-of select="."/>-->
         <!--<xsl:value-of select="replace(., '\{\$nws\}', '(\S*)?')"/>-->
@@ -435,6 +447,16 @@
         <xsl:text>(.*?)</xsl:text>
     </xsl:template>
     
+    <xsl:template match="m:text[@not]" mode="write-match">
+        <xsl:text expand-text="true">([^{ @not }]*?)</xsl:text>
+    </xsl:template>
+    
+    <!--<xsl:template match="m:text" mode="write-match">
+        <xsl:variable name="match-char"
+            select="if (matches(@not,'\S')) then ('[' || @not || ']') else '.'"/>
+        <xsl:text expand-text="true">({ $match-char }*?)</xsl:text>
+    </xsl:template>-->
+    
     <xsl:variable name="line-example" xml:space="preserve"> { insertion } </xsl:variable>
     
      <xsl:variable name="examples" xml:space="preserve">
@@ -448,10 +470,11 @@ Paragraph, \n\nand new paragraph
 Bit of `code` here and there, such as one might have along with *italics*.
 
 no insertion here: { ac-4.4_prm_2 } 
- 
+
+An anchor looks like [this](this.file) or  [that](that.file)
  
 Extra long x
-            y and z
+            y and z **strong** and **bold**
             
 
 Here's a text with a *parameter* insertion: {{ insert }}
@@ -465,7 +488,7 @@ And many paragraphs!
 * One item in a list, with "quoted text"
 * Another item in a list
   * Sublist
-   * subsublist
+    * subsublist
 * Item three
 
 ```xml
@@ -474,6 +497,8 @@ And many paragraphs!
 ... select ...>
 ```
 
+Some paragraphs have ![images](http://www.links.com) in them, sometimes ![many](../many/links)
+
 And Prose!
 
 ```
@@ -496,10 +521,14 @@ And stuff.
 
         </p>
         <p>Here's a markdown string.</p>
-        <p>This `string should *break` (overlap)*</p>
-        <p>`code` may occasionally turn up `in the middle`.</p>
-        <p>Here's a ***really interesting*** markdown string.</p>
-        <p>Some paragraphs might have [links elsewhere](https://link.org).</p>
+
+         <p>This `string should *break` (overlap)*</p>
+        
+         <p>`code` may occasionally turn up `in the middle`.</p>
+        
+         <p>Here's a ***really interesting*** markdown string.</p>
+        
+         <p>Some paragraphs might have [links elsewhere](https://link.org).</p>
     </xsl:variable>
     
 </xsl:stylesheet>
\ No newline at end of file
diff --git a/build/metaschema/lib/metaschema-check.sch b/build/metaschema/lib/metaschema-check.sch
index 222bec1bba..fc57141527 100644
--- a/build/metaschema/lib/metaschema-check.sch
+++ b/build/metaschema/lib/metaschema-check.sch
@@ -20,7 +20,6 @@
     <xsl:key name="invocation-by-ref" match="m:assembly[exists(@ref)] | m:field[exists(@ref)] | m:flag[exists(@ref)]" use="@ref"/>
     <xsl:key name="flags-by-name" match="m:define-flag | m:flag[@name]" use="@name"/>
     
-    
     <sch:ns uri="http://csrc.nist.gov/ns/oscal/metaschema/1.0" prefix="m"/>
     
     <xsl:variable name="example-ns" select="'http://csrc.nist.gov/ns/oscal/example'"/>
@@ -37,9 +36,10 @@
 <!--  grouping name can't be the same as the name
       group-as is present whenever not(@max-occurs = 1) -->
     <sch:pattern>
-        
         <sch:rule context="m:define-assembly | m:define-field | m:define-flag">
-            <sch:assert role="warning" test="count(key('definition-by-name',@name)) = 1">Definition for '<sch:value-of select="@name"/>' is not unique in this metaschema module (only the last one found will be used)</sch:assert>
+            <!-- $compleat assembles all definitions from all modules (in metaschema-compose.xsl)  -->
+            <sch:let name="contenders" value="key('definition-by-name',@name,$compleat)"/>
+            <sch:assert role="warning" test="count( $contenders ) = 1">Definition for '<sch:value-of select="@name"/>' is not unique in this metaschema;  cf <xsl:value-of select="$contenders/../@module" separator=", "/>.</sch:assert>
             <sch:assert test="exists(m:formal-name)">formal-name missing from <sch:name/></sch:assert>
             <sch:assert test="exists(m:description)">description missing from <sch:name/></sch:assert>
             <sch:assert test="empty(self::m:define-assembly) or exists(m:model)">model missing from <sch:name/></sch:assert>
@@ -47,7 +47,6 @@
             <sch:assert test="not(key('invocation-by-ref',@name)/m:group-as/@json-behavior='BY_KEY') or exists(m:json-key)"><sch:value-of select="substring-after(local-name(),
             'define-')"/> is assigned a json key, but no 'json-key' is given</sch:assert>
             <sch:report test="@name=('RICHTEXT','STRVALUE','PROSE')">Names "STRVALUE", "RICHTEXT" or "PROSE" (reserved names)</sch:report>
-            
         </sch:rule>
 
         <sch:rule context="m:json-key">
diff --git a/docs/content/documentation/schemas/datatypes.md b/docs/content/documentation/schemas/datatypes.md
index 81ca716446..ed85acbdf1 100644
--- a/docs/content/documentation/schemas/datatypes.md
+++ b/docs/content/documentation/schemas/datatypes.md
@@ -358,6 +358,8 @@ The following table describes the equavalent constructs in HTML and Markdown use
 | Ordered List Item | &lt;ol&gt;&lt;li&gt;*text*&lt;/li&gt;&lt;/ol&gt; | 1. *text*
 | Unordered List Item | &lt;ul&gt;&lt;li&gt;*text*&lt;/li&gt;&lt;/ul&gt; | - *text*
 
+Note: Markdown does not have an equivalent of the HTML &lt;i&gt; and &lt;b&gt; tags, which indicate italics and bold respectively. These concepts are mapped in OSCAL markup text to &lt;em&gt; and &lt;strong&gt; [common mark](https://spec.commonmark.org/0.29/#emphasis-and-strong-emphasis), which render equivalently in browsers, but do not have exactly the same semantics. While this mapping is imperfect, it represents the common uses of these HTML tags.
+
 #### Parameter Insertion
 
 The OSCAL catalog, profile, and implementation layer models allow for control parameters to be defined and injected into prose text.
diff --git a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
index c9dc8ac573..9d97777652 100644
--- a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
+++ b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
@@ -15,262 +15,309 @@
 			</org>
 		</party>
 	</metadata>
-  <import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml">
+	<import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
 		<include>
 			<call control-id="ac-1"/>
 			<call control-id="ac-2"/>
-			<call subcontrol-id="ac-2.1"/>
-			<call subcontrol-id="ac-2.2"/>
-			<call subcontrol-id="ac-2.3"/>
-			<call subcontrol-id="ac-2.4"/>
-			<call subcontrol-id="ac-2.5"/>
-			<call subcontrol-id="ac-2.11"/>
+			<call control-id="ac-2.1"/>
+			<call control-id="ac-2.2"/>
+			<call control-id="ac-2.3"/>
+			<call control-id="ac-2.4"/>
+			<call control-id="ac-2.5"/>
+			<call control-id="ac-2.7"/>
+			<call control-id="ac-2.9"/>
+			<call control-id="ac-2.10"/>
+			<call control-id="ac-2.11"/>
+			<call control-id="ac-2.12"/>
+			<call control-id="ac-2.13"/>
 			<call control-id="ac-3"/>
 			<call control-id="ac-4"/>
+			<call control-id="ac-4.8"/>
+			<call control-id="ac-4.21"/>
 			<call control-id="ac-5"/>
 			<call control-id="ac-6"/>
-			<call subcontrol-id="ac-6.1"/>
-			<call subcontrol-id="ac-6.2"/>
-			<call subcontrol-id="ac-6.3"/>
-			<call subcontrol-id="ac-6.5"/>
-			<call subcontrol-id="ac-6.9"/>
-			<call subcontrol-id="ac-6.10"/>
+			<call control-id="ac-6.1"/>
+			<call control-id="ac-6.2"/>
+			<call control-id="ac-6.3"/>
+			<call control-id="ac-6.5"/>
+			<call control-id="ac-6.7"/>
+			<call control-id="ac-6.8"/>
+			<call control-id="ac-6.9"/>
+			<call control-id="ac-6.10"/>
 			<call control-id="ac-7"/>
+			<call control-id="ac-7.2"/>
 			<call control-id="ac-8"/>
 			<call control-id="ac-10"/>
 			<call control-id="ac-11"/>
-			<call subcontrol-id="ac-11.1"/>
+			<call control-id="ac-11.1"/>
 			<call control-id="ac-12"/>
+			<call control-id="ac-12.1"/>
 			<call control-id="ac-14"/>
 			<call control-id="ac-17"/>
-			<call subcontrol-id="ac-17.1"/>
-			<call subcontrol-id="ac-17.2"/>
-			<call subcontrol-id="ac-17.3"/>
-			<call subcontrol-id="ac-17.4"/>
+			<call control-id="ac-17.1"/>
+			<call control-id="ac-17.2"/>
+			<call control-id="ac-17.3"/>
+			<call control-id="ac-17.4"/>
+			<call control-id="ac-17.9"/>
 			<call control-id="ac-18"/>
-			<call subcontrol-id="ac-18.1"/>
-			<call subcontrol-id="ac-18.4"/>
-			<call subcontrol-id="ac-18.5"/>
+			<call control-id="ac-18.1"/>
+			<call control-id="ac-18.3"/>
+			<call control-id="ac-18.4"/>
+			<call control-id="ac-18.5"/>
 			<call control-id="ac-19"/>
-			<call subcontrol-id="ac-19.5"/>
+			<call control-id="ac-19.5"/>
 			<call control-id="ac-20"/>
-			<call subcontrol-id="ac-20.1"/>
-			<call subcontrol-id="ac-20.2"/>
+			<call control-id="ac-20.1"/>
+			<call control-id="ac-20.2"/>
 			<call control-id="ac-21"/>
 			<call control-id="ac-22"/>
 			<call control-id="at-1"/>
 			<call control-id="at-2"/>
-			<call subcontrol-id="at-2.2"/>
+			<call control-id="at-2.2"/>
 			<call control-id="at-3"/>
+			<call control-id="at-3.3"/>
+			<call control-id="at-3.4"/>
 			<call control-id="at-4"/>
 			<call control-id="au-1"/>
 			<call control-id="au-2"/>
-			<call subcontrol-id="au-2.3"/>
+			<call control-id="au-2.3"/>
 			<call control-id="au-3"/>
-			<call subcontrol-id="au-3.1"/>
-			<call subcontrol-id="au-3.2"/>
+			<call control-id="au-3.1"/>
+			<call control-id="au-3.2"/>
 			<call control-id="au-4"/>
 			<call control-id="au-5"/>
-			<call subcontrol-id="au-5.1"/>
-			<call subcontrol-id="au-5.2"/>
+			<call control-id="au-5.1"/>
+			<call control-id="au-5.2"/>
 			<call control-id="au-6"/>
-			<call subcontrol-id="au-6.1"/>
-			<call subcontrol-id="au-6.3"/>
-			<call subcontrol-id="au-6.5"/>
-			<call subcontrol-id="au-6.6"/>
+			<call control-id="au-6.1"/>
+			<call control-id="au-6.3"/>
+			<call control-id="au-6.4"/>
+			<call control-id="au-6.5"/>
+			<call control-id="au-6.6"/>
+			<call control-id="au-6.7"/>
+			<call control-id="au-6.10"/>
 			<call control-id="au-7"/>
-			<call subcontrol-id="au-7.1"/>
+			<call control-id="au-7.1"/>
 			<call control-id="au-8"/>
-			<call subcontrol-id="au-8.1"/>
+			<call control-id="au-8.1"/>
 			<call control-id="au-9"/>
-			<call subcontrol-id="au-9.2"/>
-			<call subcontrol-id="au-9.3"/>
-			<call subcontrol-id="au-9.4"/>
+			<call control-id="au-9.2"/>
+			<call control-id="au-9.3"/>
+			<call control-id="au-9.4"/>
 			<call control-id="au-10"/>
 			<call control-id="au-11"/>
 			<call control-id="au-12"/>
-			<call subcontrol-id="au-12.1"/>
-			<call subcontrol-id="au-12.3"/>
+			<call control-id="au-12.1"/>
+			<call control-id="au-12.3"/>
 			<call control-id="ca-1"/>
 			<call control-id="ca-2"/>
-			<call subcontrol-id="ca-2.1"/>
-			<call subcontrol-id="ca-2.2"/>
+			<call control-id="ca-2.1"/>
+			<call control-id="ca-2.2"/>
+			<call control-id="ca-2.3"/>
 			<call control-id="ca-3"/>
-			<call subcontrol-id="ca-3.5"/>
+			<call control-id="ca-3.3"/>
+			<call control-id="ca-3.5"/>
 			<call control-id="ca-5"/>
 			<call control-id="ca-6"/>
 			<call control-id="ca-7"/>
-			<call subcontrol-id="ca-7.1"/>
+			<call control-id="ca-7.1"/>
+			<call control-id="ca-7.3"/>
 			<call control-id="ca-8"/>
+			<call control-id="ca-8.1"/>
 			<call control-id="ca-9"/>
 			<call control-id="cm-1"/>
 			<call control-id="cm-2"/>
-			<call subcontrol-id="cm-2.1"/>
-			<call subcontrol-id="cm-2.2"/>
-			<call subcontrol-id="cm-2.3"/>
-			<call subcontrol-id="cm-2.7"/>
+			<call control-id="cm-2.1"/>
+			<call control-id="cm-2.2"/>
+			<call control-id="cm-2.3"/>
+			<call control-id="cm-2.7"/>
 			<call control-id="cm-3"/>
-			<call subcontrol-id="cm-3.1"/>
-			<call subcontrol-id="cm-3.2"/>
+			<call control-id="cm-3.1"/>
+			<call control-id="cm-3.2"/>
+			<call control-id="cm-3.4"/>
+			<call control-id="cm-3.6"/>
 			<call control-id="cm-4"/>
-			<call subcontrol-id="cm-4.1"/>
+			<call control-id="cm-4.1"/>
 			<call control-id="cm-5"/>
-			<call subcontrol-id="cm-5.1"/>
-			<call subcontrol-id="cm-5.2"/>
-			<call subcontrol-id="cm-5.3"/>
+			<call control-id="cm-5.1"/>
+			<call control-id="cm-5.2"/>
+			<call control-id="cm-5.3"/>
+			<call control-id="cm-5.5"/>
 			<call control-id="cm-6"/>
-			<call subcontrol-id="cm-6.1"/>
-			<call subcontrol-id="cm-6.2"/>
+			<call control-id="cm-6.1"/>
+			<call control-id="cm-6.2"/>
 			<call control-id="cm-7"/>
-			<call subcontrol-id="cm-7.1"/>
-			<call subcontrol-id="cm-7.2"/>
-			<call subcontrol-id="cm-7.5"/>
+			<call control-id="cm-7.1"/>
+			<call control-id="cm-7.2"/>
+			<call control-id="cm-7.5"/>
 			<call control-id="cm-8"/>
-			<call subcontrol-id="cm-8.1"/>
-			<call subcontrol-id="cm-8.2"/>
-			<call subcontrol-id="cm-8.3"/>
-			<call subcontrol-id="cm-8.4"/>
-			<call subcontrol-id="cm-8.5"/>
+			<call control-id="cm-8.1"/>
+			<call control-id="cm-8.2"/>
+			<call control-id="cm-8.3"/>
+			<call control-id="cm-8.4"/>
+			<call control-id="cm-8.5"/>
 			<call control-id="cm-9"/>
 			<call control-id="cm-10"/>
+			<call control-id="cm-10.1"/>
 			<call control-id="cm-11"/>
+			<call control-id="cm-11.1"/>
 			<call control-id="cp-1"/>
 			<call control-id="cp-2"/>
-			<call subcontrol-id="cp-2.1"/>
-			<call subcontrol-id="cp-2.2"/>
-			<call subcontrol-id="cp-2.3"/>
-			<call subcontrol-id="cp-2.4"/>
-			<call subcontrol-id="cp-2.5"/>
-			<call subcontrol-id="cp-2.8"/>
+			<call control-id="cp-2.1"/>
+			<call control-id="cp-2.2"/>
+			<call control-id="cp-2.3"/>
+			<call control-id="cp-2.4"/>
+			<call control-id="cp-2.5"/>
+			<call control-id="cp-2.8"/>
 			<call control-id="cp-3"/>
-			<call subcontrol-id="cp-3.1"/>
+			<call control-id="cp-3.1"/>
 			<call control-id="cp-4"/>
-			<call subcontrol-id="cp-4.1"/>
-			<call subcontrol-id="cp-4.2"/>
+			<call control-id="cp-4.1"/>
+			<call control-id="cp-4.2"/>
 			<call control-id="cp-6"/>
-			<call subcontrol-id="cp-6.1"/>
-			<call subcontrol-id="cp-6.2"/>
-			<call subcontrol-id="cp-6.3"/>
+			<call control-id="cp-6.1"/>
+			<call control-id="cp-6.2"/>
+			<call control-id="cp-6.3"/>
 			<call control-id="cp-7"/>
-			<call subcontrol-id="cp-7.1"/>
-			<call subcontrol-id="cp-7.2"/>
-			<call subcontrol-id="cp-7.3"/>
-			<call subcontrol-id="cp-7.4"/>
+			<call control-id="cp-7.1"/>
+			<call control-id="cp-7.2"/>
+			<call control-id="cp-7.3"/>
+			<call control-id="cp-7.4"/>
 			<call control-id="cp-8"/>
-			<call subcontrol-id="cp-8.1"/>
-			<call subcontrol-id="cp-8.2"/>
-			<call subcontrol-id="cp-8.3"/>
-			<call subcontrol-id="cp-8.4"/>
+			<call control-id="cp-8.1"/>
+			<call control-id="cp-8.2"/>
+			<call control-id="cp-8.3"/>
+			<call control-id="cp-8.4"/>
 			<call control-id="cp-9"/>
-			<call subcontrol-id="cp-9.1"/>
-			<call subcontrol-id="cp-9.2"/>
-			<call subcontrol-id="cp-9.3"/>
-			<call subcontrol-id="cp-9.5"/>
+			<call control-id="cp-9.1"/>
+			<call control-id="cp-9.2"/>
+			<call control-id="cp-9.3"/>
+			<call control-id="cp-9.5"/>
 			<call control-id="cp-10"/>
-			<call subcontrol-id="cp-10.2"/>
-			<call subcontrol-id="cp-10.4"/>
+			<call control-id="cp-10.2"/>
+			<call control-id="cp-10.4"/>
 			<call control-id="ia-1"/>
 			<call control-id="ia-2"/>
-			<call subcontrol-id="ia-2.1"/>
-			<call subcontrol-id="ia-2.2"/>
-			<call subcontrol-id="ia-2.3"/>
-			<call subcontrol-id="ia-2.4"/>
-			<call subcontrol-id="ia-2.8"/>
-			<call subcontrol-id="ia-2.9"/>
-			<call subcontrol-id="ia-2.11"/>
-			<call subcontrol-id="ia-2.12"/>
+			<call control-id="ia-2.1"/>
+			<call control-id="ia-2.2"/>
+			<call control-id="ia-2.3"/>
+			<call control-id="ia-2.4"/>
+			<call control-id="ia-2.5"/>
+			<call control-id="ia-2.8"/>
+			<call control-id="ia-2.9"/>
+			<call control-id="ia-2.11"/>
+			<call control-id="ia-2.12"/>
 			<call control-id="ia-3"/>
 			<call control-id="ia-4"/>
+			<call control-id="ia-4.4"/>
 			<call control-id="ia-5"/>
-			<call subcontrol-id="ia-5.1"/>
-			<call subcontrol-id="ia-5.2"/>
-			<call subcontrol-id="ia-5.3"/>
-			<call subcontrol-id="ia-5.11"/>
+			<call control-id="ia-5.1"/>
+			<call control-id="ia-5.2"/>
+			<call control-id="ia-5.3"/>
+			<call control-id="ia-5.4"/>
+			<call control-id="ia-5.6"/>
+			<call control-id="ia-5.7"/>
+			<call control-id="ia-5.8"/>
+			<call control-id="ia-5.11"/>
+			<call control-id="ia-5.13"/>
 			<call control-id="ia-6"/>
 			<call control-id="ia-7"/>
 			<call control-id="ia-8"/>
-			<call subcontrol-id="ia-8.1"/>
-			<call subcontrol-id="ia-8.2"/>
-			<call subcontrol-id="ia-8.3"/>
-			<call subcontrol-id="ia-8.4"/>
+			<call control-id="ia-8.1"/>
+			<call control-id="ia-8.2"/>
+			<call control-id="ia-8.3"/>
+			<call control-id="ia-8.4"/>
 			<call control-id="ir-1"/>
 			<call control-id="ir-2"/>
-			<call subcontrol-id="ir-2.1"/>
-			<call subcontrol-id="ir-2.2"/>
+			<call control-id="ir-2.1"/>
+			<call control-id="ir-2.2"/>
 			<call control-id="ir-3"/>
-			<call subcontrol-id="ir-3.2"/>
+			<call control-id="ir-3.2"/>
 			<call control-id="ir-4"/>
-			<call subcontrol-id="ir-4.1"/>
-			<call subcontrol-id="ir-4.4"/>
+			<call control-id="ir-4.1"/>
+			<call control-id="ir-4.2"/>
+			<call control-id="ir-4.3"/>
+			<call control-id="ir-4.4"/>
+			<call control-id="ir-4.6"/>
+			<call control-id="ir-4.8"/>
 			<call control-id="ir-5"/>
-			<call subcontrol-id="ir-5.1"/>
+			<call control-id="ir-5.1"/>
 			<call control-id="ir-6"/>
-			<call subcontrol-id="ir-6.1"/>
+			<call control-id="ir-6.1"/>
 			<call control-id="ir-7"/>
-			<call subcontrol-id="ir-7.1"/>
+			<call control-id="ir-7.1"/>
+			<call control-id="ir-7.2"/>
 			<call control-id="ir-8"/>
+			<call control-id="ir-9"/>
+			<call control-id="ir-9.1"/>
+			<call control-id="ir-9.2"/>
+			<call control-id="ir-9.3"/>
+			<call control-id="ir-9.4"/>
 			<call control-id="ma-1"/>
 			<call control-id="ma-2"/>
-			<call subcontrol-id="ma-2.2"/>
+			<call control-id="ma-2.2"/>
 			<call control-id="ma-3"/>
-			<call subcontrol-id="ma-3.1"/>
-			<call subcontrol-id="ma-3.2"/>
-			<call subcontrol-id="ma-3.3"/>
+			<call control-id="ma-3.1"/>
+			<call control-id="ma-3.2"/>
+			<call control-id="ma-3.3"/>
 			<call control-id="ma-4"/>
-			<call subcontrol-id="ma-4.2"/>
-			<call subcontrol-id="ma-4.3"/>
+			<call control-id="ma-4.2"/>
+			<call control-id="ma-4.3"/>
+			<call control-id="ma-4.6"/>
 			<call control-id="ma-5"/>
-			<call subcontrol-id="ma-5.1"/>
+			<call control-id="ma-5.1"/>
 			<call control-id="ma-6"/>
 			<call control-id="mp-1"/>
 			<call control-id="mp-2"/>
 			<call control-id="mp-3"/>
 			<call control-id="mp-4"/>
 			<call control-id="mp-5"/>
-			<call subcontrol-id="mp-5.4"/>
+			<call control-id="mp-5.4"/>
 			<call control-id="mp-6"/>
-			<call subcontrol-id="mp-6.1"/>
-			<call subcontrol-id="mp-6.2"/>
-			<call subcontrol-id="mp-6.3"/>
+			<call control-id="mp-6.1"/>
+			<call control-id="mp-6.2"/>
+			<call control-id="mp-6.3"/>
 			<call control-id="mp-7"/>
-			<call subcontrol-id="mp-7.1"/>
+			<call control-id="mp-7.1"/>
 			<call control-id="pe-1"/>
 			<call control-id="pe-2"/>
 			<call control-id="pe-3"/>
-			<call subcontrol-id="pe-3.1"/>
+			<call control-id="pe-3.1"/>
 			<call control-id="pe-4"/>
 			<call control-id="pe-5"/>
 			<call control-id="pe-6"/>
-			<call subcontrol-id="pe-6.1"/>
-			<call subcontrol-id="pe-6.4"/>
+			<call control-id="pe-6.1"/>
+			<call control-id="pe-6.4"/>
 			<call control-id="pe-8"/>
-			<call subcontrol-id="pe-8.1"/>
+			<call control-id="pe-8.1"/>
 			<call control-id="pe-9"/>
 			<call control-id="pe-10"/>
 			<call control-id="pe-11"/>
-			<call subcontrol-id="pe-11.1"/>
+			<call control-id="pe-11.1"/>
 			<call control-id="pe-12"/>
 			<call control-id="pe-13"/>
-			<call subcontrol-id="pe-13.1"/>
-			<call subcontrol-id="pe-13.2"/>
-			<call subcontrol-id="pe-13.3"/>
+			<call control-id="pe-13.1"/>
+			<call control-id="pe-13.2"/>
+			<call control-id="pe-13.3"/>
 			<call control-id="pe-14"/>
+			<call control-id="pe-14.2"/>
 			<call control-id="pe-15"/>
-			<call subcontrol-id="pe-15.1"/>
+			<call control-id="pe-15.1"/>
 			<call control-id="pe-16"/>
 			<call control-id="pe-17"/>
 			<call control-id="pe-18"/>
 			<call control-id="pl-1"/>
 			<call control-id="pl-2"/>
-			<call subcontrol-id="pl-2.3"/>
+			<call control-id="pl-2.3"/>
 			<call control-id="pl-4"/>
-			<call subcontrol-id="pl-4.1"/>
+			<call control-id="pl-4.1"/>
 			<call control-id="pl-8"/>
 			<call control-id="ps-1"/>
 			<call control-id="ps-2"/>
 			<call control-id="ps-3"/>
+			<call control-id="ps-3.3"/>
 			<call control-id="ps-4"/>
-			<call subcontrol-id="ps-4.2"/>
+			<call control-id="ps-4.2"/>
 			<call control-id="ps-5"/>
 			<call control-id="ps-6"/>
 			<call control-id="ps-7"/>
@@ -279,24 +326,36 @@
 			<call control-id="ra-2"/>
 			<call control-id="ra-3"/>
 			<call control-id="ra-5"/>
-			<call subcontrol-id="ra-5.1"/>
-			<call subcontrol-id="ra-5.2"/>
-			<call subcontrol-id="ra-5.4"/>
-			<call subcontrol-id="ra-5.5"/>
+			<call control-id="ra-5.1"/>
+			<call control-id="ra-5.2"/>
+			<call control-id="ra-5.3"/>
+			<call control-id="ra-5.4"/>
+			<call control-id="ra-5.5"/>
+			<call control-id="ra-5.6"/>
+			<call control-id="ra-5.8"/>
+			<call control-id="ra-5.10"/>
 			<call control-id="sa-1"/>
 			<call control-id="sa-2"/>
 			<call control-id="sa-3"/>
 			<call control-id="sa-4"/>
-			<call subcontrol-id="sa-4.1"/>
-			<call subcontrol-id="sa-4.2"/>
-			<call subcontrol-id="sa-4.9"/>
-			<call subcontrol-id="sa-4.10"/>
+			<call control-id="sa-4.1"/>
+			<call control-id="sa-4.2"/>
+			<call control-id="sa-4.8"/>
+			<call control-id="sa-4.9"/>
+			<call control-id="sa-4.10"/>
 			<call control-id="sa-5"/>
 			<call control-id="sa-8"/>
 			<call control-id="sa-9"/>
-			<call subcontrol-id="sa-9.2"/>
+			<call control-id="sa-9.1"/>
+			<call control-id="sa-9.2"/>
+			<call control-id="sa-9.4"/>
+			<call control-id="sa-9.5"/>
 			<call control-id="sa-10"/>
+			<call control-id="sa-10.1"/>
 			<call control-id="sa-11"/>
+			<call control-id="sa-11.1"/>
+			<call control-id="sa-11.2"/>
+			<call control-id="sa-11.8"/>
 			<call control-id="sa-12"/>
 			<call control-id="sa-15"/>
 			<call control-id="sa-16"/>
@@ -306,19 +365,26 @@
 			<call control-id="sc-3"/>
 			<call control-id="sc-4"/>
 			<call control-id="sc-5"/>
+			<call control-id="sc-6"/>
 			<call control-id="sc-7"/>
-			<call subcontrol-id="sc-7.3"/>
-			<call subcontrol-id="sc-7.4"/>
-			<call subcontrol-id="sc-7.5"/>
-			<call subcontrol-id="sc-7.7"/>
-			<call subcontrol-id="sc-7.8"/>
-			<call subcontrol-id="sc-7.18"/>
-			<call subcontrol-id="sc-7.21"/>
+			<call control-id="sc-7.3"/>
+			<call control-id="sc-7.4"/>
+			<call control-id="sc-7.5"/>
+			<call control-id="sc-7.7"/>
+			<call control-id="sc-7.8"/>
+			<call control-id="sc-7.10"/>
+			<call control-id="sc-7.12"/>
+			<call control-id="sc-7.13"/>
+			<call control-id="sc-7.18"/>
+			<call control-id="sc-7.20"/>
+			<call control-id="sc-7.21"/>
 			<call control-id="sc-8"/>
-			<call subcontrol-id="sc-8.1"/>
+			<call control-id="sc-8.1"/>
 			<call control-id="sc-10"/>
 			<call control-id="sc-12"/>
-			<call subcontrol-id="sc-12.1"/>
+			<call control-id="sc-12.1"/>
+			<call control-id="sc-12.2"/>
+			<call control-id="sc-12.3"/>
 			<call control-id="sc-13"/>
 			<call control-id="sc-15"/>
 			<call control-id="sc-17"/>
@@ -328,123 +394,65 @@
 			<call control-id="sc-21"/>
 			<call control-id="sc-22"/>
 			<call control-id="sc-23"/>
+			<call control-id="sc-23.1"/>
 			<call control-id="sc-24"/>
 			<call control-id="sc-28"/>
+			<call control-id="sc-28.1"/>
 			<call control-id="sc-39"/>
 			<call control-id="si-1"/>
 			<call control-id="si-2"/>
-			<call subcontrol-id="si-2.1"/>
-			<call subcontrol-id="si-2.2"/>
+			<call control-id="si-2.1"/>
+			<call control-id="si-2.2"/>
+			<call control-id="si-2.3"/>
 			<call control-id="si-3"/>
-			<call subcontrol-id="si-3.1"/>
-			<call subcontrol-id="si-3.2"/>
+			<call control-id="si-3.1"/>
+			<call control-id="si-3.2"/>
+			<call control-id="si-3.7"/>
 			<call control-id="si-4"/>
-			<call subcontrol-id="si-4.2"/>
-			<call subcontrol-id="si-4.4"/>
-			<call subcontrol-id="si-4.5"/>
+			<call control-id="si-4.1"/>
+			<call control-id="si-4.2"/>
+			<call control-id="si-4.4"/>
+			<call control-id="si-4.5"/>
+			<call control-id="si-4.11"/>
+			<call control-id="si-4.14"/>
+			<call control-id="si-4.16"/>
+			<call control-id="si-4.18"/>
+			<call control-id="si-4.19"/>
+			<call control-id="si-4.20"/>
+			<call control-id="si-4.22"/>
+			<call control-id="si-4.23"/>
+			<call control-id="si-4.24"/>
 			<call control-id="si-5"/>
-			<call subcontrol-id="si-5.1"/>
+			<call control-id="si-5.1"/>
 			<call control-id="si-6"/>
 			<call control-id="si-7"/>
-			<call subcontrol-id="si-7.1"/>
-			<call subcontrol-id="si-7.2"/>
-			<call subcontrol-id="si-7.5"/>
-			<call subcontrol-id="si-7.7"/>
-			<call subcontrol-id="si-7.14"/>
+			<call control-id="si-7.1"/>
+			<call control-id="si-7.2"/>
+			<call control-id="si-7.5"/>
+			<call control-id="si-7.7"/>
+			<call control-id="si-7.14"/>
 			<call control-id="si-8"/>
-			<call subcontrol-id="si-8.1"/>
-			<call subcontrol-id="si-8.2"/>
+			<call control-id="si-8.1"/>
+			<call control-id="si-8.2"/>
 			<call control-id="si-10"/>
 			<call control-id="si-11"/>
 			<call control-id="si-12"/>
 			<call control-id="si-16"/>
+
+
 		</include>
 	</import>
-  <import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
+	<import href="FedRAMP_catalog.xml">
 		<include>
-			<call subcontrol-id="ac-2.7"/>
-			<call subcontrol-id="ac-2.9"/>
-			<call subcontrol-id="ac-2.10"/>
-			<call subcontrol-id="ac-2.12"/>
-			<call subcontrol-id="ac-2.13"/>
-			<call subcontrol-id="ac-4.8"/>
-			<call subcontrol-id="ac-4.21"/>
-			<call subcontrol-id="ac-6.7"/>
-			<call subcontrol-id="ac-6.8"/>
-			<call subcontrol-id="ac-7.2"/>
-			<call subcontrol-id="ac-12.1"/>
-			<call subcontrol-id="ac-17.9"/>
-			<call subcontrol-id="ac-18.3"/>
-			<call subcontrol-id="at-3.3"/>
-			<call subcontrol-id="at-3.4"/>
-			<call subcontrol-id="au-6.4"/>
-			<call subcontrol-id="au-6.7"/>
-			<call subcontrol-id="au-6.10"/>
-			<call subcontrol-id="ca-2.3"/>
-			<call subcontrol-id="ca-3.3"/>
-			<call subcontrol-id="ca-7.3"/>
-			<call subcontrol-id="ca-8.1"/>
-			<call subcontrol-id="cm-3.4"/>
-			<call subcontrol-id="cm-3.6"/>
-			<call subcontrol-id="cm-5.5"/>
-			<call subcontrol-id="cm-10.1"/>
-			<call subcontrol-id="cm-11.1"/>
-			<call subcontrol-id="ia-2.5"/>
-			<call subcontrol-id="ia-4.4"/>
-			<call subcontrol-id="ia-5.4"/>
-			<call subcontrol-id="ia-5.6"/>
-			<call subcontrol-id="ia-5.7"/>
-			<call subcontrol-id="ia-5.8"/>
-			<call subcontrol-id="ia-5.13"/>
-			<call subcontrol-id="ir-4.2"/>
-			<call subcontrol-id="ir-4.3"/>
-			<call subcontrol-id="ir-4.6"/>
-			<call subcontrol-id="ir-4.8"/>
-			<call subcontrol-id="ir-7.2"/>
-			<call control-id="ir-9"/>
-			<call subcontrol-id="ir-9.1"/>
-			<call subcontrol-id="ir-9.2"/>
-			<call subcontrol-id="ir-9.3"/>
-			<call subcontrol-id="ir-9.4"/>
-			<call subcontrol-id="ma-4.6"/>
-			<call subcontrol-id="pe-14.2"/>
-			<call subcontrol-id="ps-3.3"/>
-			<call subcontrol-id="ra-5.3"/>
-			<call subcontrol-id="ra-5.6"/>
-			<call subcontrol-id="ra-5.8"/>
-			<call subcontrol-id="ra-5.10"/>
-			<call subcontrol-id="sa-4.8"/>
-			<call subcontrol-id="sa-9.1"/>
-			<call subcontrol-id="sa-9.4"/>
-			<call subcontrol-id="sa-9.5"/>
-			<call subcontrol-id="sa-10.1"/>
-			<call subcontrol-id="sa-11.1"/>
-			<call subcontrol-id="sa-11.2"/>
-			<call subcontrol-id="sa-11.8"/>
-			<call control-id="sc-6"/>
-			<call subcontrol-id="sc-7.10"/>
-			<call subcontrol-id="sc-7.12"/>
-			<call subcontrol-id="sc-7.13"/>
-			<call subcontrol-id="sc-7.20"/>
-			<call subcontrol-id="sc-12.2"/>
-			<call subcontrol-id="sc-12.3"/>
-			<call subcontrol-id="sc-23.1"/>
-			<call subcontrol-id="sc-28.1"/>
-			<call subcontrol-id="si-2.3"/>
-			<call subcontrol-id="si-3.7"/>
-			<call subcontrol-id="si-4.1"/>
-			<call subcontrol-id="si-4.11"/>
-			<call subcontrol-id="si-4.14"/>
-			<call subcontrol-id="si-4.16"/>
-			<call subcontrol-id="si-4.18"/>
-			<call subcontrol-id="si-4.19"/>
-			<call subcontrol-id="si-4.20"/>
-			<call subcontrol-id="si-4.22"/>
-			<call subcontrol-id="si-4.23"/>
-			<call subcontrol-id="si-4.24"/>
+			<call control-id="ac-8-fr"/>
+			<call control-id="ca-7-fr"/>
+			<call control-id="sc-15-fr"/>
 		</include>
 	</import>
-	<merge/>
+	<merge>
+		<combine method="keep" />
+		<as-is>true</as-is>
+	</merge>
 	<modify>
 		<!-- - - AC-1 - -  -->
 		<set param-id="ac-1_prm_2">
@@ -488,9 +496,6 @@
 		<!-- - - AC-2 (10) - -  -->
 		<!-- - - AC-2 (11) - -  -->
 		<!-- - - AC-2 (12) - -  -->
-		<set param-id="ac-2.12_prm_1">
-			<constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-		</set>
 		<set param-id="ac-2.12_prm_2">
 			<constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
 		</set>
@@ -537,11 +542,8 @@
 		<set param-id="ac-7_prm_2">
 			<constraint>fifteen (15) minutes</constraint>
 		</set>
-		<set param-id="ac-7_prm_3">
-			<constraint>locks the account/node for a minimum of three (3) hours or until unlocked by an administrator</constraint>
-		</set>
 		<set param-id="ac-7_prm_4">
-			<constraint>a minimum of three (3) hours</constraint>
+			<constraint>locks the account/node for a minimum of three (3) hours or until unlocked by an administrator</constraint>
 		</set>
 		<!-- - - AC-7 (2) - -  -->
 		<set param-id="ac-7.2_prm_1">
@@ -669,11 +671,8 @@
 		<!-- - - AU-6 (3) - -  -->
 		<!-- - - AU-6 (4) - -  -->
 		<!-- - - AU-6 (5) - -  -->
-		<set param-id="au-6.5_prm_1">
-			<constraint>Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization -defined data/information collected from other sources]</constraint>
-		</set>
 		<set param-id="au-6.5_prm_2">
-			<constraint>Organization -defined data/information collected from other sources</constraint>
+			<constraint>Possibly to include penetration test data.</constraint>
 		</set>
 		<!-- - - AU-6 (6) - -  -->
 		<!-- - - AU-6 (7) - -  -->
@@ -692,7 +691,7 @@
 			<constraint>At least hourly</constraint>
 		</set>
 		<set param-id="au-8.1_prm_2">
-			<constraint>http://tfnistgov/tf-cgi/serverscgi</constraint>
+			<constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
 		</set>
 		<!-- - - AU-9 - -  -->
 		<!-- - - AU-9 (2) - -  -->
@@ -713,16 +712,10 @@
 		<set param-id="au-12_prm_1">
 			<constraint>all information system and network components where audit capability is deployed/available</constraint>
 		</set>
-		<set param-id="au-12_prm_2">
-			<constraint>all information system and network components where audit capability is deployed/available</constraint>
-		</set>
 		<!-- - - AU-12 (1) - -  -->
 		<set param-id="au-12.1_prm_1">
 			<constraint>all network, data storage, and computing devices</constraint>
 		</set>
-		<set param-id="au-12.1_prm_2">
-			<constraint>all network, data storage, and computing devices</constraint>
-		</set>
 		<!-- - - AU-12 (3) - -  -->
 		<set param-id="au-12.3_prm_1">
 			<constraint>service provider-defined individuals or roles with audit configuration responsibilities</constraint>
@@ -795,9 +788,6 @@
 		<set param-id="ca-8_prm_1">
 			<constraint>at least annually</constraint>
 		</set>
-		<set param-id="ca-8_prm_2">
-			<constraint>at least annually</constraint>
-		</set>
 		<!-- - - CA-8 (1) - -  -->
 		<!-- - - CA-9 - -  -->
 		<!-- - - CM-1 - -  -->
@@ -846,9 +836,6 @@
 		<set param-id="cm-5.2_prm_1">
 			<constraint>at least every thirty (30) days</constraint>
 		</set>
-		<set param-id="cm-5.2_prm_2">
-			<constraint>at least every thirty (30) days</constraint>
-		</set>
 		<!-- - - CM-5 (3) - -  -->
 		<!-- - - CM-5 (5) - -  -->
 		<set param-id="cm-5.5_prm_1">
@@ -1012,19 +999,10 @@
 			<constraint>contractors; foreign nationals]</constraint>
 		</set>
 		<!-- - - IA-5 - -  -->
-		<set param-id="ia-5_prm_1">
-			<constraint>to include sixty (60) days for passwords</constraint>
-		</set>
 		<!-- - - IA-5 (1) - -  -->
-		<set param-id="ia-5.1_prm_1">
-			<constraint>case sensitive, minimum of fourteen (14) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters</constraint>
-		</set>
 		<set param-id="ia-5.1_prm_2">
 			<constraint>at least fifty percent (50%)</constraint>
 		</set>
-		<set param-id="ia-5.1_prm_3">
-			<constraint>one (1) day minimum, sixty (60) day maximum</constraint>
-		</set>
 		<set param-id="ia-5.1_prm_4">
 			<constraint>twenty four (24)</constraint>
 		</set>
@@ -1175,7 +1153,7 @@
 		<!-- - - MP-5 (4) - -  -->
 		<!-- - - MP-6 - -  -->
 		<set param-id="mp-6_prm_2">
-			<constraint>techniques and procedures IAW NIST SP 800-88 and Section 5.9: Reuse and Disposal of Storage Media and Hardware</constraint>
+			<constraint>techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations</constraint>
 		</set>
 		<!-- - - MP-6 (1) - -  -->
 		<!-- - - MP-6 (2) - -  -->
@@ -1359,7 +1337,7 @@
 			<constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
 		</set>
 		<set param-id="ra-5_prm_2">
-			<constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery</constraint>
+			<constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
 		</set>
 		<!-- - - RA-5 (1) - -  -->
 		<!-- - - RA-5 (2) - -  -->
@@ -1465,7 +1443,7 @@
 		<!-- - - SC-7 (3) - -  -->
 		<!-- - - SC-7 (4) - -  -->
 		<set param-id="sc-7.4_prm_1">
-			<constraint>at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions]</constraint>
+			<constraint>at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions</constraint>
 		</set>
 		<!-- - - SC-7 (5) - -  -->
 		<!-- - - SC-7 (7) - -  -->
@@ -1615,3680 +1593,1290 @@
 		<!-- - - SI-12 - -  -->
 		<!-- - - SI-16 - -  -->
 		<!-- - - AC-1 - -  -->
-		<alter control-id="ac-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 - -  -->
-		<alter control-id="ac-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 (1) - -  -->
-		<alter subcontrol-id="ac-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 (2) - -  -->
-		<alter subcontrol-id="ac-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 (3) - -  -->
-		<alter subcontrol-id="ac-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices).  The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.</p>
+		<alter control-id="ac-2.3">
+			<add position="ending">
+				<part id="ac-2.3_fr" name="item" ns="fedramp">
+					<title>AC-2 (3) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.3_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (4) - -  -->
-		<alter subcontrol-id="ac-2.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 (5) - -  -->
-		<alter subcontrol-id="ac-2.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Should use a shorter timeframe than AC-12.</p>
+		<alter control-id="ac-2.5">
+			<add position="ending">
+				<part id="ac-2.5_fr" name="item" ns="fedramp">
+					<title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Should use a shorter timeframe than AC-12.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (7) - -  -->
-		<alter subcontrol-id="ac-2.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 (9) - -  -->
-		<alter subcontrol-id="ac-2.9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Required if shared/group accounts are deployed</p>
+		<alter control-id="ac-2.9">
+			<add position="ending">
+				<part id="ac-2.9_fr" name="item" ns="fedramp">
+					<title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.9_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Required if shared/group accounts are deployed</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (10) - -  -->
-		<alter subcontrol-id="ac-2.10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Required if shared/group accounts are deployed</p>
+		<alter control-id="ac-2.10">
+			<add position="ending">
+				<part id="ac-2.10_fr" name="item" ns="fedramp">
+					<title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.10_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Required if shared/group accounts are deployed</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (11) - -  -->
-		<alter subcontrol-id="ac-2.11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NIST added this control to the NIST High Baseline during the 1/15/2015</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-2 (12) - -  -->
-		<alter subcontrol-id="ac-2.12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Guidance: Required for privileged accounts.</p>
-					<p>(b) Guidance: Required for privileged accounts.</p>
+		<alter control-id="ac-2.12">
+			<add position="ending">
+				<part id="ac-2.12_fr" name="item" ns="fedramp">
+					<title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.12_fr_gdn.1" name="guidance">
+						<prop name="label">(a) Guidance:</prop>
+						<p>Required for privileged accounts.</p>
+					</part>
+					<part id="ac-2.12_fr_gdn.2" name="guidance">
+						<prop name="label">(b) Guidance:</prop>
+						<p>Required for privileged accounts.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (13) - -  -->
-		<alter subcontrol-id="ac-2.13">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-3 - -  -->
-		<alter control-id="ac-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-4 - -  -->
-		<alter control-id="ac-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-4 (8) - -  -->
-		<alter subcontrol-id="ac-4.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. If there is a significant high-impact risk of inadvertent or intentional data leakage with a system deployed in a shared-service environment, this control is justified to mitigate that risk. Similar justification applies when an organization needs to ensure data isolation between different types of information enclaves within the organization.</p>
-					<p>ANALYSIS. Although this control is usually employed to control flows between different classified enclaves, it  can also apply to non-classified scenarios (e.g., the need to isolate legal, personnel, health-related, financial, or other information or files deemed sensitive.</p>
-					<p>SAMPLE THREAT VECTORS.  Sensitive free-text information passes from the personnel department to the rest of the organization. Law-enforcement sensitive information is inadvertently pulled from the organization's general counsel case management system and passed outside the department to users without authorization to view that information. HIPAA-protected health information flows freely from the HR department to all employees. Privacy-Act information flows from an HR system into a publicly released report.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Adaptive, Manageable, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential, Data Controllable, Access-Controlled.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-4 (21) - -  -->
-		<alter subcontrol-id="ac-4.21">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-5 - -  -->
 		<alter control-id="ac-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
+			<add position="ending">
+				<part id="ac-5_fr" name="item" ns="fedramp">
+					<title>AC-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-6 - -  -->
-		<alter control-id="ac-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (1) - -  -->
-		<alter subcontrol-id="ac-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (2) - -  -->
-		<alter subcontrol-id="ac-6.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance:  Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
+		<alter control-id="ac-6.2">
+			<add position="ending">
+				<part id="ac-6.2_fr" name="item" ns="fedramp">
+					<title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-6.2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-6 (3) - -  -->
-		<alter subcontrol-id="ac-6.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (5) - -  -->
-		<alter subcontrol-id="ac-6.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (7) - -  -->
-		<alter subcontrol-id="ac-6.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>CSP Insider Threat mitigation; Good housekeeping and a best business practice for the protection of the CSP and customer alike. In a cloud environment, the power (and potentially harm) of the privileged users is greatly magnified because of the scale. For that reason periodic review of privileges is important.</p>
-					<p>Priority for adding to FedRAMP-M: HIGH</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (8) - -  -->
-		<alter subcontrol-id="ac-6.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>This control is not part of the NIST high baseline and was added for FedRAMP at the recommendation of DoD and NIST. This is a CNSSI 1253 control.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (9) - -  -->
-		<alter subcontrol-id="ac-6.9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-6 (10) - -  -->
-		<alter subcontrol-id="ac-6.10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-7 - -  -->
-		<alter control-id="ac-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-7 (2) - -  -->
-		<alter subcontrol-id="ac-7.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. If an organization's mobile devices carry information whose loss would have a high impact, this control is warranted in order to mitigate the risk of such loss.</p>
-					<p>ANALYSIS. The technologies associated with this control are well established COTS hardware and software.</p>
-					<p>SAMPLE THREAT VECTORS.  Mobile device is lost, falls into the hands of people without authorization to view the information contained on the device.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Usable, Adaptive, Manageable, Agile, Supported, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Confidential, Data Controllable, Access-Controlled, Mission Assured.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-8 - -  -->
 		<alter control-id="ac-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-					<p>Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.</p>
-					<p>Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-					<p>Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
+			<add position="ending">
+				<part id="ac-8_fr" name="item" ns="fedramp">
+					<title>AC-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="ac-8_fr_smt.2" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
+					</part>
+					<part id="ac-8_fr_smt.3" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-10 - -  -->
-		<alter control-id="ac-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-11 - -  -->
-		<alter control-id="ac-11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-11 (1) - -  -->
-		<alter subcontrol-id="ac-11.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-12 - -  -->
-		<alter control-id="ac-12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-12 (1) - -  -->
-		<alter subcontrol-id="ac-12.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Recommended by High Baseline Tiger Team. vulnerabilities associated with not having a logout button are well-documented.</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29</p>
+		<alter control-id="ac-12.1">
+			<add position="ending">
+				<part id="ac-12.1_fr" name="item" ns="fedramp">
+					<title>AC-12 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-12.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-14 - -  -->
-		<alter control-id="ac-14">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-17 - -  -->
-		<alter control-id="ac-17">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-17 (1) - -  -->
-		<alter subcontrol-id="ac-17.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-17 (2) - -  -->
-		<alter subcontrol-id="ac-17.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-17 (3) - -  -->
-		<alter subcontrol-id="ac-17.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-17 (4) - -  -->
-		<alter subcontrol-id="ac-17.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-17 (9) - -  -->
-		<alter subcontrol-id="ac-17.9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-18 - -  -->
-		<alter control-id="ac-18">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-18 (1) - -  -->
-		<alter subcontrol-id="ac-18.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-18 (3) - -  -->
-		<alter subcontrol-id="ac-18.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for Selection: Best business practice for the protection of the CSP and customer alike  " when not intended for use". This is an unanticipated vector for attack if present and active. While probably not an issue with data center servers and networking devices, wireless is becoming embedded in many  components and devices such as printers, fax devices, copiers, scanners, communications devices, etc. There is the additional potential that wireless capabilities may become available in air conditioners, power centers, power controllers, lighting, alarm systems, etc. There is a potential that these capabilities could exist without organizational awareness. Selection drivedsawareness. It's better to perform the check than to make assumptions about what devices are in the IS.</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs</p>
-					<p>The application of this control enchancement should include all systems and devices in the CSP facility such as printers, fax devices, copiers, scanners, communications devices, air conditioners, power centers, power controllers, lighting, alarm systems,  etc. Wireless networking capabilities should be disabled when they are near or networked with systems supporting customer's services.</p>
-					<p>Priority for adding to  FedRAMP-M: Moderate</p>
-					<p>(Low  L1/2)</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-18 (4) - -  -->
-		<alter subcontrol-id="ac-18.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-18 (5) - -  -->
-		<alter subcontrol-id="ac-18.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-19 - -  -->
-		<alter control-id="ac-19">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-19 (5) - -  -->
-		<alter subcontrol-id="ac-19.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-20 - -  -->
-		<alter control-id="ac-20">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-20 (1) - -  -->
-		<alter subcontrol-id="ac-20.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-20 (2) - -  -->
-		<alter subcontrol-id="ac-20.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-21 - -  -->
-		<alter control-id="ac-21">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AC-22 - -  -->
-		<alter control-id="ac-22">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-1 - -  -->
-		<alter control-id="at-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-2 - -  -->
-		<alter control-id="at-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-2 (2) - -  -->
-		<alter subcontrol-id="at-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-3 - -  -->
-		<alter control-id="at-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-3 (3) - -  -->
-		<alter subcontrol-id="at-3.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. High-impact systems warrant significantly elevated protection; one of these elevated protections is provided through simulated no-notice attacks that exercise users' ability to detect and respond correctly to attempts to steal internal information in their possession.</p>
-					<p>ANALYSIS. These controls are well understood and widely installed; COTS components keep implementation time and cost low.</p>
-					<p>SAMPLE THREAT VECTORS.  Cybersecurity staff do not know how to monitor, respond, and manage complex enforcement systems and subsystems. Cybersecurity staff is not properly trained to understand how the controls are to operate. Staff does not understand the event alarms/logs. Staff is not able to protect from unauthorized disclosure. Staff is careless with handling data, or unwilling to follow the established security protocols, or willing to cut corners to save time.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-3 (4) - -  -->
-		<alter subcontrol-id="at-3.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. High-impact systems warrant significantly elevated protection.</p>
-					<p>ANALYSIS. These controls are well understood and widely installed.</p>
-					<p>THREAT VECTORS ADDRESSED.  Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally when in reality, it is not. People fail to review event logs. People make unauthorized changes to event logger.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AT-4 - -  -->
-		<alter control-id="at-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-1 - -  -->
-		<alter control-id="au-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-2 - -  -->
 		<alter control-id="au-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+			<add position="ending">
+				<part id="au-2_fr" name="item" ns="fedramp">
+					<title>AU-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-2_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-2 (3) - -  -->
-		<alter subcontrol-id="au-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
+		<alter control-id="au-2.3">
+			<add position="ending">
+				<part id="au-2.3_fr" name="item" ns="fedramp">
+					<title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-2.3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-3 - -  -->
-		<alter control-id="au-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-3 (1) - -  -->
-		<alter subcontrol-id="au-3.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
+		<alter control-id="au-3.1">
+			<add position="ending">
+				<part id="au-3.1_fr" name="item" ns="fedramp">
+					<title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-3.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="au-3.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-3 (2) - -  -->
-		<alter subcontrol-id="au-3.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-4 - -  -->
-		<alter control-id="au-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-5 - -  -->
-		<alter control-id="au-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-5 (1) - -  -->
-		<alter subcontrol-id="au-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-5 (2) - -  -->
-		<alter subcontrol-id="au-5.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - AU-6 - -  -->
 		<alter control-id="au-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
+			<add position="ending">
+				<part id="au-6_fr" name="item" ns="fedramp">
+					<title>AU-6 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-6 (1) - -  -->
-		<alter subcontrol-id="au-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+		<!-- - - AU-6 (3) - -  -->
+		<!-- - - AU-6 (4) - -  -->
+		<!-- - - AU-6 (5) - -  -->
+		<!-- - - AU-6 (6) - -  -->
+		<alter control-id="au-6.6">
+			<add position="ending">
+				<part id="au-6.6_fr" name="item" ns="fedramp">
+					<title>AU-6 (6) Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-6.6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-6 (3) - -  -->
-		<alter subcontrol-id="au-6.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+		<!-- - - AU-6 (7) - -  -->
+		<!-- - - AU-6 (10) - -  -->
+		<!-- - - AU-7 - -  -->
+		<!-- - - AU-7 (1) - -  -->
+		<!-- - - AU-8 - -  -->
+		<!-- - - AU-8 (1) - -  -->
+		<alter control-id="au-8.1">
+			<add position="ending">
+				<part id="au-8.1_fr" name="item" ns="fedramp">
+					<title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-8.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
+					</part>
+					<part id="au-8.1_fr_smt.2" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
+					</part>
+					<part id="au-8.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Synchronization of system clocks improves the accuracy of log analysis.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-6 (4) - -  -->
-		<alter subcontrol-id="au-6.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. Due to the complexity of independent systems exchanging security-related monitoring data, and high-impact systems implemented in shared-service environments, the responsible organization needs a centralized capability that integrates these various data sources into a unified whole permitting central review and analysis of diverse log data relevant to security audits.</p>
-					<p>ANALYSIS. This control permits analysts and auditors to focus on their primary duty of analyzing log data, and relieves them of the usual burden of discovery, collection, validation, aggregation, and indexing of large log datasets relevant to system security. Since these latter collection tasks have been automated under this control, less time and funding will be required to execute this core audit/analysis activity.</p>
-					<p>SAMPLE THREAT VECTORS. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally, when it is not. People fail to review event logs. People make unauthorized changes to event logger."</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored.</p>
+		<!-- - - AU-9 - -  -->
+		<!-- - - AU-9 (2) - -  -->
+		<!-- - - AU-9 (3) - -  -->
+		<!-- - - AU-9 (4) - -  -->
+		<!-- - - AU-10 - -  -->
+		<!-- - - AU-11 - -  -->
+		<alter control-id="au-11">
+			<add position="ending">
+				<part id="au-11_fr" name="item" ns="fedramp">
+					<title>AU-11 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-11_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-6 (5) - -  -->
-		<alter subcontrol-id="au-6.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
+		<!-- - - AU-12 - -  -->
+		<!-- - - AU-12 (1) - -  -->
+		<!-- - - AU-12 (3) - -  -->
+		<!-- - - CA-1 - -  -->
+		<!-- - - CA-2 - -  -->
+		<alter control-id="ca-2">
+			<add position="ending">
+				<part id="ca-2_fr" name="item" ns="fedramp">
+					<title>CA-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-6 (6) - -  -->
-		<alter subcontrol-id="au-6.6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+		<!-- - - CA-2 (1) - -  -->
+		<alter control-id="ca-2.1">
+			<add position="ending">
+				<part id="ca-2.1_fr" name="item" ns="fedramp">
+					<title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-6 (7) - -  -->
-		<alter subcontrol-id="au-6.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>This control is not part of the NIST high baseline and was added for FedRAMP.</p>
+		<!-- - - CA-2 (2) - -  -->
+		<alter control-id="ca-2.2">
+			<add position="ending">
+				<part id="ca-2.2_fr" name="item" ns="fedramp">
+					<title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2.2_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>To include 'announced', 'vulnerability scanning'</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-6 (10) - -  -->
-		<alter subcontrol-id="au-6.10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for Selection L3-6: In support of cyber security threat / incident response activities. Supports flexibility in auditing levels based on threat level. Supports CSP integration with DoD security architecture. The sensitivity of the information at  levels 3-6 warrents the adjustment of auditing levels based on threat level.</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs: This CE supports  cyber security threat / incident response activities and  flexibility in auditing levels based on threat level. This CE also supports CSP integration with DoD security architecture and the ability to respond to  USCYBERCOM and DoD CNDSP alerts and directives.</p>
-					<p>NOTE L1/2: The handling of alerts from US-CERT and other credible sources is sufficient to change auditing activities if this CE is tailored in via an SLA.</p>
-					<p>NOTE: L3-6: The handling of alerts and directives from USCYBERCOM and DoD CNDSPs is required at these levels in addition to handling of alerts from US-CERTand other credible sources.</p>
-					<p>Priority for adding to  FedRAMP-M: High</p>
+		<!-- - - CA-2 (3) - -  -->
+		<!-- - - CA-3 - -  -->
+		<!-- - - CA-3 (3) - -  -->
+		<alter control-id="ca-3.3">
+			<add position="ending">
+				<part id="ca-3.3_fr" name="item" ns="fedramp">
+					<title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-3.3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-7 - -  -->
-		<alter control-id="au-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+		<!-- - - CA-3 (5) - -  -->
+		<alter control-id="ca-3.5">
+			<add position="ending">
+				<part id="ca-3.5_fr" name="item" ns="fedramp">
+					<title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-3.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-7 (1) - -  -->
-		<alter subcontrol-id="au-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+		<!-- - - CA-5 - -  -->
+		<alter control-id="ca-5">
+			<add position="ending">
+				<part id="ca-5_fr" name="item" ns="fedramp">
+					<title>CA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-5_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
+					</part>
+					<part id="ca-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - AU-8 - -  -->
-		<alter control-id="au-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-8 (1) - -  -->
-		<alter subcontrol-id="au-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-					<p>Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-					<p>Guidance: Synchronization of system clocks improves the accuracy of log analysis.</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-9 - -  -->
-		<alter control-id="au-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-9 (2) - -  -->
-		<alter subcontrol-id="au-9.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-9 (3) - -  -->
-		<alter subcontrol-id="au-9.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-9 (4) - -  -->
-		<alter subcontrol-id="au-9.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-10 - -  -->
-		<alter control-id="au-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-11 - -  -->
-		<alter control-id="au-11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-12 - -  -->
-		<alter control-id="au-12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-12 (1) - -  -->
-		<alter subcontrol-id="au-12.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Non-repudiation</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - AU-12 (3) - -  -->
-		<alter subcontrol-id="au-12.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Non-repudiation</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-1 - -  -->
-		<alter control-id="ca-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-2 - -  -->
-		<alter control-id="ca-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-2 (1) - -  -->
-		<alter subcontrol-id="ca-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: For JAB Authorization, must use an accredited 3PAO.</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-2 (2) - -  -->
-		<alter subcontrol-id="ca-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: To include 'announced', 'vulnerability scanning'</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-2 (3) - -  -->
-		<alter subcontrol-id="ca-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-3 - -  -->
-		<alter control-id="ca-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-3 (3) - -  -->
-		<alter subcontrol-id="ca-3.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-3 (5) - -  -->
-		<alter subcontrol-id="ca-3.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-5 - -  -->
-		<alter control-id="ca-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Requirement: POA&amp;Ms must be provided at least monthly.</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - CA-6 - -  -->
-		<alter control-id="ca-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(c) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
+		<!-- - - CA-6 - -  -->
+		<alter control-id="ca-6">
+			<add position="ending">
+				<part id="ca-6_fr" name="item" ns="fedramp">
+					<title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-7 - -  -->
 		<alter control-id="ca-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually</p>
-					<p>Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-					<p>Operating System Scans: at least monthly</p>
-					<p>Database and Web Application Scans: at least monthly</p>
-					<p>All scans performed by Independent Assessor: at least annually</p>
+			<add position="ending">
+				<part id="ca-7_fr" name="item" ns="fedramp">
+					<title>CA-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-7_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
+					</part>
+					<part id="ca-7_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
+					</part>
+					<part id="ca-7_fr_gdn.2" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-7 (1) - -  -->
-		<alter subcontrol-id="ca-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CA-7 (3) - -  -->
-		<alter subcontrol-id="ca-7.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. Organization requires independent data to validate that current security monitoring continues to target the right data, and that no gaps have opened between what is currently measured and what needs to be measured given the constantly evolving threat environment. In particular, the organization determines that security management will need trend analytics tuned to the current security climate to ensure the organization's security officials maintain general situational awareness of larger security trends that may pose a threat to the organization's high-impact systems fielded in shared-service environments.</p>
-					<p>ANALYSIS. Implementation of this control should provide security management with a technical advantage by forcing them to maintain continual current awareness of the larger security threat-scape, rather than become lost in the lower-level details of specific security metrics.</p>
-					<p>SAMPLE THREAT VECTORS ADDRESSED. Stakeholders do not have the information they need to make sound decisions due to technology capability. System fails to send alarms, logs, and other pertinent data to the event manager. Control processes involve too many layers of review, concurrence, and revision to support effective and timely conveyance of relevant information to decision-makers. Monitoring not effectively linked to control processes.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Controlled</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CA-8 - -  -->
 		<alter control-id="ca-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+			<add position="ending">
+				<part id="ca-8_fr" name="item" ns="fedramp">
+					<title>CA-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-8_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href='https://www.FedRAMP.gov/documents/'>https://www.FedRAMP.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-8 (1) - -  -->
-		<alter subcontrol-id="ca-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CA-9 - -  -->
-		<alter control-id="ca-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-1 - -  -->
-		<alter control-id="cm-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-2 - -  -->
-		<alter control-id="cm-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-2 (1) - -  -->
-		<alter subcontrol-id="cm-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
+		<alter control-id="cm-2.1">
+			<add position="ending">
+				<part id="cm-2.1_fr" name="item" ns="fedramp">
+					<title>CM-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-2.1_fr_gdn.1" name="guidance">
+						<prop name="label">(a) Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-2 (2) - -  -->
-		<alter subcontrol-id="cm-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-2 (3) - -  -->
-		<alter subcontrol-id="cm-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-2 (7) - -  -->
-		<alter subcontrol-id="cm-2.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-3 - -  -->
 		<alter control-id="cm-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-					<p>(e) Guidance: In accordance with record retention policies and procedures.</p>
+			<add position="ending">
+				<part id="cm-3_fr" name="item" ns="fedramp">
+					<title>CM-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-3_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="cm-3_fr_gdn.1" name="guidance">
+						<prop name="label">(e) Guidance:</prop>
+						<p>In accordance with record retention policies and procedures.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-3 (1) - -  -->
-		<alter subcontrol-id="cm-3.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-3 (2) - -  -->
-		<alter subcontrol-id="cm-3.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-3 (4) - -  -->
-		<alter subcontrol-id="cm-3.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for De-Selection L1/2: The sensitivity of the information at these levels may not require a  information security representative to be a member of the  organization-defined configuration change control element.</p>
-					<p>Rationale for Selection L3-6: This is a best business practice for the protection of the CSP and customer alike in that the security representative will be more aware of IA issues that configuration changes can introduce and he/she can more easily provide IA guidance for issues spotted.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-3 (6) - -  -->
-		<alter subcontrol-id="cm-3.6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for SA L1: Cryptographic mechanisms are only required at this level for priviledged user (system administrator / SA) access control and the transport of privileged commands or configuration files. Not the publicly released information served at this level.</p>
-					<p>Rationale for Selection L2-6: Best practice. Supplemental guidance for this CE refers primarily to the processes surrounding the management of the cryptographic mechanisms used. These processes need to be under change management that addresses security concerns to ensure they remain secure.</p>
-					<p>CE supplemental guidance.</p>
-					<p>Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates.</p>
-					<p>Priority for adding to  FedRAMP-M: High</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-4 - -  -->
-		<alter control-id="cm-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-4 (1) - -  -->
-		<alter subcontrol-id="cm-4.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-5 - -  -->
-		<alter control-id="cm-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-5 (1) - -  -->
-		<alter subcontrol-id="cm-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-5 (2) - -  -->
-		<alter subcontrol-id="cm-5.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-5 (3) - -  -->
-		<alter subcontrol-id="cm-5.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
+		<alter control-id="cm-5.3">
+			<add position="ending">
+				<part id="cm-5.3_fr" name="item" ns="fedramp">
+					<title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-5.3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-5 (5) - -  -->
-		<alter subcontrol-id="cm-5.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-6 - -  -->
 		<alter control-id="cm-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a)-1 Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.</p>
-					<p>(a)-2 Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).</p>
-					<p>(a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</p>
+			<add position="ending">
+				<part id="cm-6_fr" name="item" ns="fedramp">
+					<title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-6_fr_smt.1" name="item">
+						<prop name="label">Requirement 1:</prop>
+						<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
+					</part>
+					<part id="cm-6_fr_smt.2" name="item">
+						<prop name="label">Requirement 2:</prop>
+						<p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
+					</part>
+					<part id="cm-6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-6 (1) - -  -->
-		<alter subcontrol-id="cm-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-6 (2) - -  -->
-		<alter subcontrol-id="cm-6.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-7 - -  -->
 		<alter control-id="cm-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-					<p>Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</p>
-					<p>(Partially derived from AC-17(8).</p>
+			<add position="ending">
+				<part id="cm-7_fr" name="item" ns="fedramp">
+					<title>CM-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-7_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
+					</part>
+					<part id="cm-7_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-7 (1) - -  -->
-		<alter subcontrol-id="cm-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-7 (2) - -  -->
-		<alter subcontrol-id="cm-7.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
+		<alter control-id="cm-7.2">
+			<add position="ending">
+				<part id="cm-7.2_fr" name="item" ns="fedramp">
+					<title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-7.2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-7 (5) - -  -->
-		<alter subcontrol-id="cm-7.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-8 - -  -->
 		<alter control-id="cm-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: must be provided at least monthly or when there is a change.</p>
+			<add position="ending">
+				<part id="cm-8_fr" name="item" ns="fedramp">
+					<title>CM-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Must be provided at least monthly or when there is a change.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-8 (1) - -  -->
-		<alter subcontrol-id="cm-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-8 (2) - -  -->
-		<alter subcontrol-id="cm-8.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-8 (3) - -  -->
-		<alter subcontrol-id="cm-8.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-8 (4) - -  -->
-		<alter subcontrol-id="cm-8.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-8 (5) - -  -->
-		<alter subcontrol-id="cm-8.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-9 - -  -->
-		<alter control-id="cm-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-10 - -  -->
-		<alter control-id="cm-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-10 (1) - -  -->
-		<alter subcontrol-id="cm-10.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-11 - -  -->
-		<alter control-id="cm-11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CM-11 (1) - -  -->
-		<alter subcontrol-id="cm-11.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. High-impact systems will require special measures to ensure users cannot place the overall system at risk by installing unauthorized software. This control supports that need.</p>
-					<p>ANALYSIS. Implementation of these controls is well understood, and relies on capabilities provided in COTS operating systems.</p>
-					<p>SAMPLE THREAT VECTORS.  The system executes malicious and harmful software. Software updates could render the system unstable or cause it to function incorrectly. Software is not designed with adequate safeguards to protect PII and other sensitive information. Users could make mistakes in following policy. Users could intentionally install unapproved/unvetted software.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Quality Assured, Substantiated  Integrity, Maintainable, Testable, Configuration Managed, Change Managed, Supported, Assessed, Auditable, Authorized, Regulated, Enforcement, Controlled, Reliable, Providing Good Data Stewardship, Assured, Confidential, Access-Controlled</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-1 - -  -->
-		<alter control-id="cp-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-2 - -  -->
 		<alter control-id="cp-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
+			<add position="ending">
+				<part id="cp-2_fr" name="item" ns="fedramp">
+					<title>CP-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-2_fr_smt.1" name="item">
+						<prop name="label">CP-2 Requirement:</prop>
+						<p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-2 (1) - -  -->
-		<alter subcontrol-id="cp-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-2 (2) - -  -->
-		<alter subcontrol-id="cp-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-2 (3) - -  -->
-		<alter subcontrol-id="cp-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-2 (4) - -  -->
-		<alter subcontrol-id="cp-2.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-2 (5) - -  -->
-		<alter subcontrol-id="cp-2.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-2 (8) - -  -->
-		<alter subcontrol-id="cp-2.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-3 - -  -->
-		<alter control-id="cp-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-3 (1) - -  -->
-		<alter subcontrol-id="cp-3.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-4 - -  -->
 		<alter control-id="cp-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
+			<add position="ending">
+				<part id="cp-4_fr" name="item" ns="fedramp">
+					<title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-4_fr_smt.a" name="item">
+						<prop name="label">CP-4(a) Requirement:</prop>
+						<p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-4 (1) - -  -->
-		<alter subcontrol-id="cp-4.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-4 (2) - -  -->
-		<alter subcontrol-id="cp-4.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-6 - -  -->
-		<alter control-id="cp-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-6 (1) - -  -->
-		<alter subcontrol-id="cp-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-6 (2) - -  -->
-		<alter subcontrol-id="cp-6.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-6 (3) - -  -->
-		<alter subcontrol-id="cp-6.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-7 - -  -->
 		<alter control-id="cp-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+			<add position="ending">
+				<part id="cp-7_fr" name="item" ns="fedramp">
+					<title>CP-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-7_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-7 (1) - -  -->
-		<alter subcontrol-id="cp-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
+		<alter control-id="cp-7.1">
+			<add position="ending">
+				<part id="cp-7.1_fr" name="item" ns="fedramp">
+					<title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-7.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-7 (2) - -  -->
-		<alter subcontrol-id="cp-7.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-7 (3) - -  -->
-		<alter subcontrol-id="cp-7.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-7 (4) - -  -->
-		<alter subcontrol-id="cp-7.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-8 - -  -->
 		<alter control-id="cp-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+			<add position="ending">
+				<part id="cp-8_fr" name="item" ns="fedramp">
+					<title>CP-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-8 (1) - -  -->
-		<alter subcontrol-id="cp-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-8 (2) - -  -->
-		<alter subcontrol-id="cp-8.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-8 (3) - -  -->
-		<alter subcontrol-id="cp-8.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-8 (4) - -  -->
-		<alter subcontrol-id="cp-8.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-9 - -  -->
 		<alter control-id="cp-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control.  The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-					<p>(a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.</p>
-					<p>(b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.</p>
-					<p>(c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.</p>
+			<add position="ending">
+				<part id="cp-9_fr" name="item" ns="fedramp">
+					<title>CP-9 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-9_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
+					</part>
+					<part id="cp-9_fr_smt.a" name="item">
+						<prop name="label">CP-9(a) Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
+					</part>
+					<part id="cp-9_fr_smt.b" name="item">
+						<prop name="label">CP-9(b)Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
+					</part>
+					<part id="cp-9_fr_smt.c" name="item">
+						<prop name="label">CP-9(c)Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-9 (1) - -  -->
-		<alter subcontrol-id="cp-9.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-9 (2) - -  -->
-		<alter subcontrol-id="cp-9.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-9 (3) - -  -->
-		<alter subcontrol-id="cp-9.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-9 (5) - -  -->
-		<alter subcontrol-id="cp-9.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-10 - -  -->
-		<alter control-id="cp-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-10 (2) - -  -->
-		<alter subcontrol-id="cp-10.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - CP-10 (4) - -  -->
-		<alter subcontrol-id="cp-10.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-1 - -  -->
-		<alter control-id="ia-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 - -  -->
-		<alter control-id="ia-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (1) - -  -->
-		<alter subcontrol-id="ia-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (2) - -  -->
-		<alter subcontrol-id="ia-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (3) - -  -->
-		<alter subcontrol-id="ia-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (4) - -  -->
-		<alter subcontrol-id="ia-2.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (5) - -  -->
-		<alter subcontrol-id="ia-2.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (8) - -  -->
-		<alter subcontrol-id="ia-2.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (9) - -  -->
-		<alter subcontrol-id="ia-2.9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-2 (11) - -  -->
-		<alter subcontrol-id="ia-2.11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
+		<alter control-id="ia-2.11">
+			<add position="ending">
+				<part id="ia-2.11_fr" name="item" ns="fedramp">
+					<title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-2.11_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-2 (12) - -  -->
-		<alter subcontrol-id="ia-2.12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
+		<alter control-id="ia-2.12">
+			<add position="ending">
+				<part id="ia-2.12_fr" name="item" ns="fedramp">
+					<title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-2.12_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-3 - -  -->
-		<alter control-id="ia-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-4 - -  -->
 		<alter control-id="ia-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(e) Requirement: The service provider defines the time period of inactivity for device identifiers.</p>
-					<p>Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.</p>
+			<add position="ending">
+				<part id="ia-4_fr" name="item" ns="fedramp">
+					<title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-4_fr_smt.e" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines the time period of inactivity for device identifiers.</p>
+					</part>
+					<part id="ia-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-4 (4) - -  -->
-		<alter subcontrol-id="ia-4.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 - -  -->
 		<alter control-id="ia-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Authenticators must be compliant with NIST SP 800-63-2 Electronic Authentication Guideline assurance Level 4 (Link http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)</p>
+			<add position="ending">
+				<part id="ia-5_fr" name="item" ns="fedramp">
+					<title>IA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-5 (1) - -  -->
-		<alter subcontrol-id="ia-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+		<alter control-id="ia-5.1">
+			<add position="ending">
+				<part id="ia-5.1_fr" name="item" ns="fedramp">
+					<title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5.1_fr_gdn.1" name="guidance">
+						<prop name="label">(a) (d) Guidance:</prop>
+						<p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-5 (2) - -  -->
-		<alter subcontrol-id="ia-5.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 (3) - -  -->
-		<alter subcontrol-id="ia-5.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 (4) - -  -->
-		<alter subcontrol-id="ia-5.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
+		<alter control-id="ia-5.4">
+			<add position="ending">
+				<part id="ia-5.4_fr" name="item" ns="fedramp">
+					<title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5.4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-5 (6) - -  -->
-		<alter subcontrol-id="ia-5.6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 (7) - -  -->
-		<alter subcontrol-id="ia-5.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 (8) - -  -->
-		<alter subcontrol-id="ia-5.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. In those cases where an organization's user accounts authenticate to more than one system, and at least one of those systems is a high-impact system implemented in a shared-service environment, then this control is warranted as a baseline capability to guard against loss of high-impact, sensitive information.</p>
-					<p>ANALYSIS. Organizations can use COTS tools and techniques to implement this control in many ways. Agencies should be prepared to document their plan and approach to this control technique.</p>
-					<p>THREAT VECTORS ADDRESSED. A user's account password is cracked, permitting attackers to identify all systems to which the user has access, and to gain access to the information in those systems.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 (11) - -  -->
-		<alter subcontrol-id="ia-5.11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-5 (13) - -  -->
-		<alter subcontrol-id="ia-5.13">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for Selection:  Best practice for authenticated web services and best business practice for the protection of the CSP and customer alike.  ECSB sees this as a significant value add toward the protection of customer accounts on SaaS or customer service / managent interfaces/portals.</p>
-					<p>L1 Rationale for SA: No authenticators are required for user access to public informationl. Info sensitivity does not warrant. However this CE would be required priviledged user access to manage the system server(s) containing public information.</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs: CSP must minimally implement this control enhancement on all SaaS offerings and customer service / managent interfaces. The time period can be negotiated in the SLA.</p>
-					<p>NOTE: while the browser or other client cashes the authenticator, the server must enforce its expiration if the client does not.</p>
-					<p>Priority for adding to  FedRAMP-M: Low</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-6 - -  -->
-		<alter control-id="ia-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-7 - -  -->
-		<alter control-id="ia-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-8 - -  -->
-		<alter control-id="ia-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-8 (1) - -  -->
-		<alter subcontrol-id="ia-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-8 (2) - -  -->
-		<alter subcontrol-id="ia-8.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-8 (3) - -  -->
-		<alter subcontrol-id="ia-8.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IA-8 (4) - -  -->
-		<alter subcontrol-id="ia-8.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-1 - -  -->
-		<alter control-id="ir-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-2 - -  -->
-		<alter control-id="ir-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-2 (1) - -  -->
-		<alter subcontrol-id="ir-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-2 (2) - -  -->
-		<alter subcontrol-id="ir-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-3 - -  -->
 		<alter control-id="ir-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>-2 Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
+			<add position="ending">
+				<part id="ir-3_fr" name="item" ns="fedramp">
+					<title>IR-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-3_fr_smt.1" name="item">
+						<prop name="label">IR-3 -2 Requirement:</prop>
+						<p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
+					</part>
 				</part>
+
 			</add>
 		</alter>
 		<!-- - - IR-3 (2) - -  -->
-		<alter subcontrol-id="ir-3.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-4 - -  -->
 		<alter control-id="ir-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
+			<add position="ending">
+				<part id="ir-4_fr" name="item" ns="fedramp">
+					<title>IR-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-4_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IR-4 (1) - -  -->
-		<alter subcontrol-id="ir-4.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-4 (2) - -  -->
-		<alter subcontrol-id="ir-4.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. Organization requires near real-time subsystem reconfiguration for high-impact systems, especially those deployed wholly or partially into shared-service environments. This dynamic reconfiguration is required for core infrastructure components such as routers, firewalls, messaging gateways, or access control/authentication servers, especially when these core components are under cyber-attack.</p>
-					<p>ANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. Since this technology area is rapidly changing to meet new cyber-threat scenarios, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are clear, especially for high-impact systems infrastructure.</p>
-					<p>SAMPLE THREAT VECTORS. System does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Survivable, Absorptive, Adaptive, Restorable</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-4 (3) - -  -->
-		<alter subcontrol-id="ir-4.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. Due to the direct connection between system function and critical mission/business capability, the system requires Continuity-of-Operations (COOP) controls.</p>
-					<p>ANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. Since this technology area is rapidly changing to meet new cyber-threat scenarios and also changes in subsystem technology, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are fundamental, especially for high-impact systems infrastructure.</p>
-					<p>SAMPLE THREAT VECTORS. The system does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system. Time does not allow for the design in error handling, self-recovery, or to capitalize on system diversity to restore a system.  Also, the organization lacks the expertise to develop or implement a plan for restoring system. A malicious change may be implemented to counter the ability to restore the system.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Survivable, Absorptive, Adaptable, Restorable</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-4 (4) - -  -->
-		<alter subcontrol-id="ir-4.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-4 (6) - -  -->
-		<alter subcontrol-id="ir-4.6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. High-impact systems will require special measures to ensure security incidents are correctly and effectively handled in a timely manner. This high-level control supports that need, and is therefore warranted as a baseline for high-impact systems in shared-service environments.</p>
-					<p>ANALYSIS. Implementation of this general control is well understood among Departments and Agencies. However, it may require special funding and time to implement in a shared service environment, where response roles and responsibilities demand vigilant analysis and definition.</p>
-					<p>SAMPLE THREAT VECTORS.  Insiders gain access to information for which they have no authorization. Insiders push sensitive information to outside networks not authorized to receive it. Insiders violate agency information-security policies. Insider actions are not monitored.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Agile, Owned, Enforcement</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-4 (8) - -  -->
-		<alter subcontrol-id="ir-4.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>This control was recommended ecommended by the High Baseline Tiger Team.</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-5 - -  -->
-		<alter control-id="ir-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-5 (1) - -  -->
-		<alter subcontrol-id="ir-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-6 - -  -->
 		<alter control-id="ir-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.</p>
+			<add position="ending">
+				<part id="ir-6_fr" name="item" ns="fedramp">
+					<title>IR-6 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IR-6 (1) - -  -->
-		<alter subcontrol-id="ir-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-7 - -  -->
-		<alter control-id="ir-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-7 (1) - -  -->
-		<alter subcontrol-id="ir-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-7 (2) - -  -->
-		<alter subcontrol-id="ir-7.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-8 - -  -->
 		<alter control-id="ir-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.</p>
-					<p>(e) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.</p>
+			<add position="ending">
+				<part id="ir-8_fr" name="item" ns="fedramp">
+					<title>IR-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-8_fr_smt.b" name="item">
+						<prop name="label">(b) Requirement:</prop>
+						<p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
+					</part>
+					<part id="ir-8_fr_smt.e" name="item">
+						<prop name="label">(e) Requirement:</prop>
+						<p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IR-9 - -  -->
-		<alter control-id="ir-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-9 (1) - -  -->
-		<alter subcontrol-id="ir-9.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-9 (2) - -  -->
-		<alter subcontrol-id="ir-9.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-9 (3) - -  -->
-		<alter subcontrol-id="ir-9.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - IR-9 (4) - -  -->
-		<alter subcontrol-id="ir-9.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-1 - -  -->
-		<alter control-id="ma-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-2 - -  -->
-		<alter control-id="ma-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-2 (2) - -  -->
-		<alter subcontrol-id="ma-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-3 - -  -->
-		<alter control-id="ma-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-3 (1) - -  -->
-		<alter subcontrol-id="ma-3.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - MA-3 (2) - -  -->
-		<alter subcontrol-id="ma-3.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - MA-3 (3) - -  -->
-		<alter subcontrol-id="ma-3.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
+		<!-- - - MA-3 (2) - -  -->
+		<!-- - - MA-3 (3) - -  -->
 		<!-- - - MA-4 - -  -->
-		<alter control-id="ma-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-4 (2) - -  -->
-		<alter subcontrol-id="ma-4.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-4 (3) - -  -->
-		<alter subcontrol-id="ma-4.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-4 (6) - -  -->
-		<alter subcontrol-id="ma-4.6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for Selection:    Best practice business practice for the protection of the CSP and customer alike.  Protects against unauthorized access and compromise of the CSP infrastructure. See Supplemental Guidance</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs:  While AC-17(2) is similar to this CE and implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions, System configuration, maintenance and diagnostic communications can be considered sensitive information and it is in DoD. Maintaining the confidrntiality and integrity of nonlocal maintenance and diagnostic communications helps maintain the health of the system, prevents unauthorized access from sniffing and MITM atacks, etc. While beneficial this selection may not be required for nonlocal maintenance and diagnostic communications over the CSP's private network and particularly if that network is out of band. Encryption is required if such communications are over a network external to the CSP (e.g., the Internet).</p>
-					<p>Priority for adding to  FedRAMP-M: High</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-5 - -  -->
-		<alter control-id="ma-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-5 (1) - -  -->
-		<alter subcontrol-id="ma-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MA-6 - -  -->
-		<alter control-id="ma-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-1 - -  -->
-		<alter control-id="mp-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-2 - -  -->
-		<alter control-id="mp-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-3 - -  -->
 		<alter control-id="mp-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Guidance: Second parameter not-applicable</p>
+			<add position="ending">
+				<part id="mp-3_fr" name="item" ns="fedramp">
+					<title>MP-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-3_fr_gdn.b" name="guidance">
+						<prop name="label">(b) Guidance:</prop>
+						<p>Second parameter not-applicable</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-4 - -  -->
 		<alter control-id="mp-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: The service provider defines controlled areas within facilities where the information and information system reside.</p>
+			<add position="ending">
+				<part id="mp-4_fr" name="item" ns="fedramp">
+					<title>MP-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-4_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-5 - -  -->
 		<alter control-id="mp-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.</p>
+			<add position="ending">
+				<part id="mp-5_fr" name="item" ns="fedramp">
+					<title>MP-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-5_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-5 (4) - -  -->
-		<alter subcontrol-id="mp-5.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-6 - -  -->
-		<alter control-id="mp-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-6 (1) - -  -->
-		<alter subcontrol-id="mp-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-6 (2) - -  -->
-		<alter subcontrol-id="mp-6.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Equipment and procedures may be tested or validated for effectiveness</p>
+		<alter control-id="mp-6.2">
+			<add position="ending">
+				<part id="mp-6.2_fr" name="item" ns="fedramp">
+					<title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-6.2_fr_gdn.a" name="guidance">
+						<prop name="label">(a) Requirement:</prop>
+						<p>Equipment and procedures may be tested or validated for effectiveness</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-6 (3) - -  -->
-		<alter subcontrol-id="mp-6.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-7 - -  -->
-		<alter control-id="mp-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - MP-7 (1) - -  -->
-		<alter subcontrol-id="mp-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-1 - -  -->
-		<alter control-id="pe-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-2 - -  -->
-		<alter control-id="pe-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-3 - -  -->
-		<alter control-id="pe-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-3 (1) - -  -->
-		<alter subcontrol-id="pe-3.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-4 - -  -->
-		<alter control-id="pe-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-5 - -  -->
-		<alter control-id="pe-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-6 - -  -->
-		<alter control-id="pe-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-6 (1) - -  -->
-		<alter subcontrol-id="pe-6.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-6 (4) - -  -->
-		<alter subcontrol-id="pe-6.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-8 - -  -->
-		<alter control-id="pe-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-8 (1) - -  -->
-		<alter subcontrol-id="pe-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-9 - -  -->
-		<alter control-id="pe-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-10 - -  -->
-		<alter control-id="pe-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-11 - -  -->
-		<alter control-id="pe-11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-11 (1) - -  -->
-		<alter subcontrol-id="pe-11.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-12 - -  -->
-		<alter control-id="pe-12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-13 - -  -->
-		<alter control-id="pe-13">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-13 (1) - -  -->
-		<alter subcontrol-id="pe-13.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-13 (2) - -  -->
-		<alter subcontrol-id="pe-13.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-13 (3) - -  -->
-		<alter subcontrol-id="pe-13.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-14 - -  -->
 		<alter control-id="pe-14">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirements:  The service provider measures temperature at server inlets and humidity levels by dew point.</p>
+			<add position="ending">
+				<part id="pe-14_fr" name="item" ns="fedramp">
+					<title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="pe-14_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - PE-14 (2) - -  -->
-		<alter subcontrol-id="pe-14.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-15 - -  -->
-		<alter control-id="pe-15">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-15 (1) - -  -->
-		<alter subcontrol-id="pe-15.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-16 - -  -->
-		<alter control-id="pe-16">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-17 - -  -->
-		<alter control-id="pe-17">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PE-18 - -  -->
-		<alter control-id="pe-18">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PL-1 - -  -->
-		<alter control-id="pl-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PL-2 - -  -->
-		<alter control-id="pl-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PL-2 (3) - -  -->
-		<alter subcontrol-id="pl-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PL-4 - -  -->
-		<alter control-id="pl-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PL-4 (1) - -  -->
-		<alter subcontrol-id="pl-4.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PL-8 - -  -->
 		<alter control-id="pl-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
+			<add position="ending">
+				<part id="pl-8_fr" name="item" ns="fedramp">
+					<title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
+					<part id="pl-8_fr_gdn.b" name="guidance">
+						<prop name="label">(b) Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - PS-1 - -  -->
-		<alter control-id="ps-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-2 - -  -->
-		<alter control-id="ps-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-3 - -  -->
-		<alter control-id="ps-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-3 (3) - -  -->
-		<alter subcontrol-id="ps-3.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-4 - -  -->
-		<alter control-id="ps-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-4 (2) - -  -->
-		<alter subcontrol-id="ps-4.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-5 - -  -->
-		<alter control-id="ps-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-6 - -  -->
-		<alter control-id="ps-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-7 - -  -->
-		<alter control-id="ps-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - PS-8 - -  -->
-		<alter control-id="ps-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-1 - -  -->
-		<alter control-id="ra-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-2 - -  -->
-		<alter control-id="ra-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-3 - -  -->
 		<alter control-id="ra-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.</p>
-					<p>(d) Requirement: Include all Authoring Officials and FedRAMP ISSOs.</p>
+			<add position="ending">
+				<part id="ra-3_fr" name="item" ns="fedramp">
+					<title>RA-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
+					</part>
+					<part id="ra-3_fr_smt.d" name="item">
+						<prop name="label">RA-3 (d) Requirement:</prop>
+						<p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - RA-5 - -  -->
 		<alter control-id="ra-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+			<add>
+				<part id="ra-5_fr_smt.a" name="item">
+					<title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
+					<prop name="label">RA-5 (a)Requirement:</prop>
+					<p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
 				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-					<p>(e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP</p>
+				<part id="ra-5_fr_smt.e" name="item">
+					<title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
+					<prop name="label">RA-5 (e)Requirement:</prop>
+					<p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
 				</part>
-			</add>
-		</alter>
-		<!-- - - RA-5 (1) - -  -->
-		<alter subcontrol-id="ra-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
+				<part id="ra-5_fr" name="item" ns="fedramp">
+					<title>RA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p><strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
+					</part>
 				</part>
 			</add>
 		</alter>
+		<!-- - - RA-5 (1) - -  -->
 		<!-- - - RA-5 (2) - -  -->
-		<alter subcontrol-id="ra-5.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-5 (3) - -  -->
-		<alter subcontrol-id="ra-5.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-5 (4) - -  -->
-		<alter subcontrol-id="ra-5.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-5 (5) - -  -->
-		<alter subcontrol-id="ra-5.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - RA-5 (6) - -  -->
-		<alter subcontrol-id="ra-5.6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
+		<alter control-id="ra-5.6">
+			<add position="ending">
+				<part id="ra-5.6_fr" name="item" ns="fedramp">
+					<title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5.6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - RA-5 (8) - -  -->
-		<alter subcontrol-id="ra-5.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirements: This enhancement is required for all high vulnerability scan findings.</p>
-					<p>Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
+		<alter control-id="ra-5.8">
+			<add position="ending">
+				<part id="ra-5.8_fr" name="item" ns="fedramp">
+					<title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5.8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>This enhancement is required for all high vulnerability scan findings.</p>
+					</part>
+					<part id="ra-5.8_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - RA-5 (10) - -  -->
-		<alter subcontrol-id="ra-5.10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. Organizations commonly run vulnerability scanning tools against diverse enterprise systems and subsystems. These tools are often attuned to the specific subsystems, and often provided by different manufacturers. Because there is no single-vendor consolidation of all scanning tools, organizations need to correlate the outputs of these tools in order to triangulate on potential threats that may be related, or identical at their source. When the security impact is high a shared-service environment may increase the number of independent scanning tools, implementation of this control is warranted.</p>
-					<p>ANALYSIS. Although this control is well understood by vendors, its implementation takes many forms, depending on the scanning tools adopted by a particular organization.</p>
-					<p>SAMPLE THREAT VECTORS. Different scanning tools discover low-impact vulnerabilities in multiple subsystems of a system. Considered individually, none of them warrants immediate action,; yet when considered together, they constitute a significant attack pattern.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Interoperable, Change Managed, Agile, Supported, Assessed, Monitored</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: If multiple tools are not used, this control is not applicable.</p>
+		<alter control-id="ra-5.10">
+			<add position="ending">
+				<part id="ra-5.10_fr" name="item" ns="fedramp">
+					<title>RA-5 (10) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5.10_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>If multiple tools are not used, this control is not applicable.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-1 - -  -->
-		<alter control-id="sa-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-2 - -  -->
-		<alter control-id="sa-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-3 - -  -->
-		<alter control-id="sa-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-4 - -  -->
 		<alter control-id="sa-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.</p>
-					<p>See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.</p>
+			<add position="ending">
+				<part id="sa-4_fr" name="item" ns="fedramp">
+					<title>SA-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-4 (1) - -  -->
-		<alter subcontrol-id="sa-4.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-4 (2) - -  -->
-		<alter subcontrol-id="sa-4.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-4 (8) - -  -->
-		<alter subcontrol-id="sa-4.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-4 (9) - -  -->
-		<alter subcontrol-id="sa-4.9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-4 (10) - -  -->
-		<alter subcontrol-id="sa-4.10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-5 - -  -->
-		<alter control-id="sa-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-8 - -  -->
-		<alter control-id="sa-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-9 - -  -->
-		<alter control-id="sa-9">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-9 (1) - -  -->
-		<alter subcontrol-id="sa-9.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-9 (2) - -  -->
-		<alter subcontrol-id="sa-9.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-9 (4) - -  -->
-		<alter subcontrol-id="sa-9.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
-		<!-- - - SA-9 (5) - -  -->
-		<alter subcontrol-id="sa-9.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
+		<!-- - - SA-4 (8) - -  -->
+		<alter control-id="sa-4.8">
+			<add position="ending">
+				<part id="sa-4.8_fr" name="item" ns="fedramp">
+					<title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-4.8_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
+		<!-- - - SA-4 (9) - -  -->
+		<!-- - - SA-4 (10) - -  -->
+		<!-- - - SA-5 - -  -->
+		<!-- - - SA-8 - -  -->
+		<!-- - - SA-9 - -  -->
+		<!-- - - SA-9 (1) - -  -->
+		<!-- - - SA-9 (2) - -  -->
+		<!-- - - SA-9 (4) - -  -->
+		<!-- - - SA-9 (5) - -  -->
 		<!-- - - SA-10 - -  -->
 		<alter control-id="sa-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>(e)  Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
+			<add position="ending">
+				<part id="sa-10_fr" name="item" ns="fedramp">
+					<title>SA-10 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-10_fr_smt.1" name="item">
+						<prop name="label">(e)  Requirement:</prop>
+						<p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-10 (1) - -  -->
-		<alter subcontrol-id="sa-10.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-11 - -  -->
-		<alter control-id="sa-11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-11 (1) - -  -->
-		<alter subcontrol-id="sa-11.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+		<alter control-id="sa-11.1">
+			<add position="ending">
+				<part id="sa-11.1_fr" name="item" ns="fedramp">
+					<title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-11.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-11 (2) - -  -->
-		<alter subcontrol-id="sa-11.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-11 (8) - -  -->
-		<alter subcontrol-id="sa-11.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+		<alter control-id="sa-11.8">
+			<add position="ending">
+				<part id="sa-11.8_fr" name="item" ns="fedramp">
+					<title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-11.8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-12 - -  -->
-		<alter control-id="sa-12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-15 - -  -->
-		<alter control-id="sa-15">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-16 - -  -->
-		<alter control-id="sa-16">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SA-17 - -  -->
-		<alter control-id="sa-17">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-1 - -  -->
-		<alter control-id="sc-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-2 - -  -->
-		<alter control-id="sc-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-3 - -  -->
-		<alter control-id="sc-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-4 - -  -->
-		<alter control-id="sc-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-5 - -  -->
-		<alter control-id="sc-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-6 - -  -->
-		<alter control-id="sc-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 - -  -->
-		<alter control-id="sc-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (3) - -  -->
-		<alter subcontrol-id="sc-7.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (4) - -  -->
-		<alter subcontrol-id="sc-7.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (5) - -  -->
-		<alter subcontrol-id="sc-7.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (7) - -  -->
-		<alter subcontrol-id="sc-7.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (8) - -  -->
-		<alter subcontrol-id="sc-7.8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (10) - -  -->
-		<alter subcontrol-id="sc-7.10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. High-impact systems warrant careful attention to scenarios associated with exfiltration of sensitive organizational information. Different systems and implementation will trigger different scenarios, but regardless of the specific system context, organizations are warranted in establishing this control for high-impact systems with subsystems deployed into shared-service environments.</p>
-					<p>ANALYSIS. Organizations should devote careful attention to design considerations relative to this control.</p>
-					<p>SAMPLE THREAT VECTORS. Authorized processes push very large volumes of data to external networks. Internal devices send address/status/security information to external networks.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES: Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (12) - -  -->
-		<alter subcontrol-id="sc-7.12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (13) - -  -->
-		<alter subcontrol-id="sc-7.13">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-					<p>Guidance: Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers,  centralized audit log servers etc.</p>
+		<alter control-id="sc-7.13">
+			<add position="ending">
+				<part id="sc-7.13_fr" name="item" ns="fedramp">
+					<title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-7.13_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
+					</part>
+					<part id="sc-7.13_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SC-7 (18) - -  -->
-		<alter subcontrol-id="sc-7.18">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (20) - -  -->
-		<alter subcontrol-id="sc-7.20">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. High-impact systems warrant careful attention to situations where specific sources or methods become suspect. Such situations can involve specific user accounts, messages, message payloads, data, applications, or even entire subsystems. Under these circumstances, a capability for dynamic segregation is highly justified.</p>
-					<p>ANALYSIS. Isolation techniques are well understood in the cyber market, and constantly evolving. Example techniques include honey pots and honey nets. Both techniques can isolate a user, an autonomous application, or an entire subsystem.</p>
-					<p>SAMPLE THREAT VECTORS. Anomalous user behavior is detected Messages arrive from suspect domains. Messages arrive with suspect attachments. Applications begin to behave anomalously. Subsystems begin moving data anomalously.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-7 (21) - -  -->
-		<alter subcontrol-id="sc-7.21">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-8 - -  -->
-		<alter control-id="sc-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-8 (1) - -  -->
-		<alter subcontrol-id="sc-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-10 - -  -->
-		<alter control-id="sc-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-12 - -  -->
 		<alter control-id="sc-12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Federally approved cryptography</p>
+			<add position="ending">
+				<part id="sc-12_fr" name="item" ns="fedramp">
+					<title>SC-12 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-12_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Federally approved and validated cryptography.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SC-12 (1) - -  -->
-		<alter subcontrol-id="sc-12.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-12 (2) - -  -->
-		<alter subcontrol-id="sc-12.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-12 (3) - -  -->
-		<alter subcontrol-id="sc-12.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-13 - -  -->
-		<alter control-id="sc-13">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-15 - -  -->
 		<alter control-id="sc-15">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+			<add position="ending">
+				<part id="sc-15_fr" name="item" ns="fedramp">
+					<title>SC-15 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-15_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SC-17 - -  -->
-		<alter control-id="sc-17">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-18 - -  -->
-		<alter control-id="sc-18">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-19 - -  -->
-		<alter control-id="sc-19">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-20 - -  -->
-		<alter control-id="sc-20">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-21 - -  -->
-		<alter control-id="sc-21">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-22 - -  -->
-		<alter control-id="sc-22">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-23 - -  -->
-		<alter control-id="sc-23">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-23 (1) - -  -->
-		<alter subcontrol-id="sc-23.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for Selection:    Rationale for Selection for SA L1: At L1 this CE is only applicable to privileged user sessions.</p>
-					<p>Rationale for Selection L1-6: Best Practice; APT. This CE  mitigates the threat/vulnerability inherant in authenticated sessions whereby If an adversary captures a session identifier that remains valid after the session is terminated, the adversary could use it to reinitiate the session thus gaining unauthorized access to CSP and CSP customer resources and information/data.</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs:  If an adversary captures a session identifier that remains valid after the session is terminated, the adversary could use it to reinitiate the session thus gaining unauthorized access to CSP and/or CSP customer resources and information/data. While unnessary for user sessions at L1, this enhancement is selected for System Administrator sessions.</p>
-					<p>Priority for adding to  FedRAMP-M: High</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-24 - -  -->
-		<alter control-id="sc-24">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-28 - -  -->
 		<alter control-id="sc-28">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
+			<add position="ending">
+				<part id="sc-28_fr" name="item" ns="fedramp">
+					<title>SC-28 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-28_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SC-28 (1) - -  -->
-		<alter subcontrol-id="sc-28.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SC-39 - -  -->
-		<alter control-id="sc-39">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-1 - -  -->
-		<alter control-id="si-1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-2 - -  -->
-		<alter control-id="si-2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-2 (1) - -  -->
-		<alter subcontrol-id="si-2.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-2 (2) - -  -->
-		<alter subcontrol-id="si-2.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-2 (3) - -  -->
-		<alter subcontrol-id="si-2.3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-3 - -  -->
-		<alter control-id="si-3">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-3 (1) - -  -->
-		<alter subcontrol-id="si-3.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-3 (2) - -  -->
-		<alter subcontrol-id="si-3.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-3 (7) - -  -->
-		<alter subcontrol-id="si-3.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 - -  -->
 		<alter control-id="si-4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: See US-CERT Incident Response Reporting Guidelines.</p>
+			<add position="ending">
+				<part id="si-4_fr" name="item" ns="fedramp">
+					<title>SI-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="si-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See US-CERT Incident Response Reporting Guidelines.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SI-4 (1) - -  -->
-		<alter subcontrol-id="si-4.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (2) - -  -->
-		<alter subcontrol-id="si-4.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (4) - -  -->
-		<alter subcontrol-id="si-4.4">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (5) - -  -->
-		<alter subcontrol-id="si-4.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: In accordance with the incident response plan.</p>
+		<alter control-id="si-4.5">
+			<add position="ending">
+				<part id="si-4.5_fr" name="item" ns="fedramp">
+					<title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
+					<part id="si-4.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>In accordance with the incident response plan.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SI-4 (11) - -  -->
-		<alter subcontrol-id="si-4.11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of its sensitive information. This control partially meets that need.</p>
-					<p>ANALYSIS. The tools and techniques for implementing this monitoring control are now well understood and embedded in COTS operating systems and software.</p>
-					<p>SAMPLE THREAT VECTORS. Large outbound file transfers execute without being detected. External malware network sites are accessed from within the organization without detection. Network sessions remain connected for long periods of time without detection. Esoteric protocols are active and undetected on ports not defined by the organization.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (14) - -  -->
-		<alter subcontrol-id="si-4.14">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (16) - -  -->
-		<alter subcontrol-id="si-4.16">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (18) - -  -->
-		<alter subcontrol-id="si-4.18">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of sensitive information. This control partially meets that need.</p>
-					<p>ANALYSIS. The tools and techniques for implementing this monitoring control are now well understood, and embedded in COTS operating systems and software.</p>
-					<p>SAMPLE THREAT VECTORS. Large outbound files are disguised to transfer without being detected. Communications with external malware network sites are embedded to avoid detection.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Substantiated Integrity, Monitored, Assessed</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (19) - -  -->
-		<alter subcontrol-id="si-4.19">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for De-Selection L1-3: The information sensitivity at these levels does not seem to warrant implementation of this CE. The costs for instituting fine-grained monitoring per individual far may outweigh the risks</p>
-					<p>Rationale for selection L4-6: SP Insider Threat mitigation; The information sensitivity at these levels warrants implementation of this CE.Best business practice for the protection of the CSP and customer alike.  This enhancement works in conjunction with AC-2 (13) account disablement for such individuals and IR-4 (6).</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs:  This enhancement works in conjunction with or opposite of AC-2 (13) which requires acount disablement within a specific time frame of discovering or identifying an individual posing a significant insider threat. In some instances the best action is not to terminate the individual's account, but rather to monitor their actions. This allows for the ability to collect evidence (for prosecution) and obtain insight into the TTPs that they may be using  and others they may working with. Termination of the account is often best left as a final act.</p>
-					<p>Priority for adding to  FedRAMP-M: Moderate</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (20) - -  -->
-		<alter subcontrol-id="si-4.20">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Rationale for Selection: Best business practice for the protection of the CSP and customer alike.  Given the scale of a cloud, the possible harm by an malicious insider is greatly magnified over normal systems.</p>
-					<p>ECSB Supplemental Guidance as the C/CE relates to CSPs:  his CE is on a par with SI-4 (9), IR-4 (6) and the various other insider threat Cs/CEs. Supports the mitigation of insider threat from those that can do the most damage. While CSPs typically claim they only have privileged users in their infrastructure (other than customers), this CEadds value for privilege users that have higher privilege than others. These higher privileged users should be subject to additional monitoring.</p>
-					<p>Priority for adding to  FedRAMP-M: High</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (22) - -  -->
-		<alter subcontrol-id="si-4.22">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should monitor network services to protect against unauthorized services capable of exfiltrating sensitive information. This control meets that monitoring need.</p>
-					<p>ANALYSIS. The tools and techniques for implementing this monitoring control are well understood, and embedded in COTS operating systems and software.</p>
-					<p>SAMPLE THREAT VECTORS. Systems daemons and application services running in the background, exfiltrating sensitive information to external networks.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (23) - -  -->
-		<alter subcontrol-id="si-4.23">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-4 (24) - -  -->
-		<alter subcontrol-id="si-4.24">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>NEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should aggressively monitor for symptoms that system integrity has been compromised. This control addresses that monitoring need.</p>
-					<p>ANALYSIS. The tools and techniques for implementing this monitoring control are no longer unusual, but their implementation still requires careful initial analysis of tools, standards, and sources for indicators of compromise (IOC) data. This capability is not a simple matter of installing COTS software and watching for alerts. Rather, it requires staff to maintain a keen understanding of the threat-scape in order to properly understand the alerts coming from the IOC subsystem.</p>
-					<p>SAMPLE THREAT VECTORS. Temporary files appear but are not associated with any known system processes; independent security services warn of new surveillance techniques appearing globally; evidence of those new techniques appears in an organization's event logs. Reports on the payload of a new botnet indicate that the system has been touched by the botnet.</p>
-					<p>RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-5 - -  -->
-		<alter control-id="si-5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-5 (1) - -  -->
-		<alter subcontrol-id="si-5.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-6 - -  -->
-		<alter control-id="si-6">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-7 - -  -->
-		<alter control-id="si-7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-7 (1) - -  -->
-		<alter subcontrol-id="si-7.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-7 (2) - -  -->
-		<alter subcontrol-id="si-7.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-7 (5) - -  -->
-		<alter subcontrol-id="si-7.5">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-7 (7) - -  -->
-		<alter subcontrol-id="si-7.7">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-7 (14) - -  -->
-		<alter subcontrol-id="si-7.14">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-8 - -  -->
-		<alter control-id="si-8">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-8 (1) - -  -->
-		<alter subcontrol-id="si-8.1">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-8 (2) - -  -->
-		<alter subcontrol-id="si-8.2">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-10 - -  -->
-		<alter control-id="si-10">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-11 - -  -->
-		<alter control-id="si-11">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-12 - -  -->
-		<alter control-id="si-12">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 		<!-- - - SI-16 - -  -->
-		<alter control-id="si-16">
-			<add position="starting">
-				<part name="justification" ns="FedRAMP">
-					<p>Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4</p>
-				</part>
-			</add>
-		</alter>
 	</modify>
 </profile>
\ No newline at end of file
diff --git a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
index 9c4e2b7120..19b40b6141 100644
--- a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
+++ b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
@@ -16,7 +16,7 @@
 			</org>
 		</party>
 	</metadata>
-  <import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml">
+	<import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
 		<include>
 			<call control-id="ac-1"/>
 			<call control-id="ac-2"/>
@@ -45,6 +45,7 @@
 			<call control-id="au-12"/>
 			<call control-id="ca-1"/>
 			<call control-id="ca-2"/>
+			<call control-id="ca-2.1"/>
 			<call control-id="ca-3"/>
 			<call control-id="ca-5"/>
 			<call control-id="ca-6"/>
@@ -66,19 +67,19 @@
 			<call control-id="cp-10"/>
 			<call control-id="ia-1"/>
 			<call control-id="ia-2"/>
-			<call subcontrol-id="ia-2.1"/>
-			<call subcontrol-id="ia-2.12"/>
+			<call control-id="ia-2.1"/>
+			<call control-id="ia-2.12"/>
 			<call control-id="ia-4"/>
 			<call control-id="ia-5"/>
-			<call subcontrol-id="ia-5.1"/>
-			<call subcontrol-id="ia-5.11"/>
+			<call control-id="ia-5.1"/>
+			<call control-id="ia-5.11"/>
 			<call control-id="ia-6"/>
 			<call control-id="ia-7"/>
 			<call control-id="ia-8"/>
-			<call subcontrol-id="ia-8.1"/>
-			<call subcontrol-id="ia-8.2"/>
-			<call subcontrol-id="ia-8.3"/>
-			<call subcontrol-id="ia-8.4"/>
+			<call control-id="ia-8.1"/>
+			<call control-id="ia-8.2"/>
+			<call control-id="ia-8.3"/>
+			<call control-id="ia-8.4"/>
 			<call control-id="ir-1"/>
 			<call control-id="ir-2"/>
 			<call control-id="ir-4"/>
@@ -141,15 +142,20 @@
 			<call control-id="si-4"/>
 			<call control-id="si-5"/>
 			<call control-id="si-12"/>
+			<call control-id="si-16"/>
 		</include>
 	</import>
-  <import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
+	<import href="FedRAMP_catalog.xml">
 		<include>
-			<call subcontrol-id="ca-2.1"/>
-			<call control-id="si-16"/>
+			<call control-id="ac-8.fr"/>
+			<call control-id="ca-7.fr"/>
+			<call control-id="sc-15.fr"/>
 		</include>
 	</import>
-	<merge/>
+	<merge>
+		<combine method="keep" />
+		<as-is>true</as-is>
+	</merge>
 	<modify>
 		<!-- - - AC-1 - -  -->
 		<set param-id="ac-1_prm_2">
@@ -165,16 +171,13 @@
 		<!-- - - AC-3 - -  -->
 		<!-- - - AC-7 - -  -->
 		<set param-id="ac-7_prm_1">
-			<constraint>not more than three</constraint>
+			<constraint>not more than three (3)</constraint>
 		</set>
 		<set param-id="ac-7_prm_2">
-			<constraint>fifteen minutes</constraint>
-		</set>
-		<set param-id="ac-7_prm_3">
-			<constraint>locks the account/node for thirty minutes</constraint>
+			<constraint>fifteen (15) minutes</constraint>
 		</set>
 		<set param-id="ac-7_prm_4">
-			<constraint>locks the account/node for thirty minutes</constraint>
+			<constraint>thirty (30) minutes</constraint>
 		</set>
 		<!-- - - AC-8 - -  -->
 		<set param-id="ac-8_prm_1">
@@ -245,9 +248,6 @@
 		<set param-id="au-12_prm_1">
 			<constraint>all information system and network components where audit capability is deployed/available</constraint>
 		</set>
-		<set param-id="au-12_prm_2">
-			<constraint>all information system and network components where audit capability is deployed/available</constraint>
-		</set>
 		<!-- - - CA-1 - -  -->
 		<set param-id="ca-1_prm_2">
 			<constraint>at least every 3 years</constraint>
@@ -363,19 +363,10 @@
 			<constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
 		</set>
 		<!-- - - IA-5 - -  -->
-		<set param-id="ia-5_prm_1">
-			<constraint>to include sixty (60) days for passwords</constraint>
-		</set>
 		<!-- - - IA-5 (1) - -  -->
-		<set param-id="ia-5.1_prm_1">
-			<constraint>case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters</constraint>
-		</set>
 		<set param-id="ia-5.1_prm_2">
 			<constraint>at least one</constraint>
 		</set>
-		<set param-id="ia-5.1_prm_3">
-			<constraint>one day minimum, sixty day maximum</constraint>
-		</set>
 		<set param-id="ia-5.1_prm_4">
 			<constraint>twenty four</constraint>
 		</set>
@@ -515,8 +506,7 @@
 		</set>
 		<!-- - - PS-3 - -  -->
 		<set param-id="ps-3_prm_1">
-			<constraint>PS-3 (b) [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance
-For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year There is no reinvestigation for other moderate risk positions or any low risk positions]</constraint>
+			<constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
 		</set>
 		<!-- - - PS-4 - -  -->
 		<set param-id="ps-4_prm_1">
@@ -553,9 +543,6 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<set param-id="ra-3_prm_3">
 			<constraint>at least every three (3) years or when a significant change occurs</constraint>
 		</set>
-		<set param-id="ra-3_prm_4">
-			<constraint>to include all Authoring Officials and FedRAMP ISSOs</constraint>
-		</set>
 		<set param-id="ra-3_prm_5">
 			<constraint>at least every three (3) years or when a significant change occurs</constraint>
 		</set>
@@ -564,7 +551,7 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 			<constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
 		</set>
 		<set param-id="ra-5_prm_2">
-			<constraint>high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery</constraint>
+			<constraint>[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
 		</set>
 		<!-- - - SA-1 - -  -->
 		<set param-id="sa-1_prm_2">
@@ -643,11 +630,21 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - AC-7 - -  -->
 		<!-- - - AC-8 - -  -->
 		<alter control-id="ac-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB.</p>
-					<p>Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB.</p>
-					<p>Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. AC-8 Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.</p>
+			<add position="ending">
+				<part id="ac-8_fr" name="item" ns="fedramp">
+					<title>AC-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="ac-8_fr_smt.2" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
+					</part>
+					<part id="ac-8_fr_smt.3" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -664,9 +661,13 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - AU-1 - -  -->
 		<!-- - - AU-2 - -  -->
 		<alter control-id="au-2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+			<add position="ending">
+				<part id="au-2_fr" name="item" ns="fedramp">
+					<title>AU-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-2_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -675,9 +676,13 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - AU-5 - -  -->
 		<!-- - - AU-6 - -  -->
 		<alter control-id="au-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
+			<add position="ending">
+				<part id="au-6_fr" name="item" ns="fedramp">
+					<title>AU-6 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -685,49 +690,88 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - AU-9 - -  -->
 		<!-- - - AU-11 - -  -->
 		<alter control-id="au-11">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
+			<add position="ending">
+				<part id="au-11_fr" name="item" ns="fedramp">
+					<title>AU-11 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-11_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-12 - -  -->
 		<!-- - - CA-1 - -  -->
 		<!-- - - CA-2 - -  -->
+		<alter control-id="ca-2">
+			<add position="ending">
+				<part id="ca-2_fr" name="item" ns="fedramp">
+					<title>CA-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - CA-2 (1) - -  -->
-		<alter subcontrol-id="ca-2.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Must use an accredited 3PAO for JAB authorization</p>
+		<alter control-id="ca-2.1">
+			<add position="ending">
+				<part id="ca-2.1_fr" name="item" ns="fedramp">
+					<title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-3 - -  -->
 		<!-- - - CA-5 - -  -->
 		<alter control-id="ca-5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Requirement: POA&amp;Ms must be provided at least monthly.</p>
+			<add position="ending">
+				<part id="ca-5_fr" name="item" ns="fedramp">
+					<title>CA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-5_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
+					</part>
+					<part id="ca-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-6 - -  -->
 		<alter control-id="ca-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>-c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
+			<add position="ending">
+				<part id="ca-6_fr" name="item" ns="fedramp">
+					<title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-7 - -  -->
 		<alter control-id="ca-7">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually</p>
-					<p>Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-					<p>Operating System Scans: at least monthly</p>
-					<p>Database and Web Application Scans: at least monthly</p>
-					<p>All scans performed by Independent Assessor: at least annually</p>
+			<add position="ending">
+				<part id="ca-7_fr" name="item" ns="fedramp">
+					<title>CA-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-7_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
+					</part>
+					<part id="ca-7_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
+					</part>
+					<part id="ca-7_fr_gdn.2" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -737,29 +781,50 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - CM-4 - -  -->
 		<!-- - - CM-6 - -  -->
 		<alter control-id="cm-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.</p>
-					<p>(a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).</p>
-					<p>(a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</p>
+			<add position="ending">
+				<part id="cm-6_fr" name="item" ns="fedramp">
+					<title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-6_fr_smt.1" name="item">
+						<prop name="label">Requirement 1:</prop>
+						<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
+					</part>
+					<part id="cm-6_fr_smt.2" name="item">
+						<prop name="label">Requirement 2:</prop>
+						<p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
+					</part>
+					<part id="cm-6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-7 - -  -->
 		<alter control-id="cm-7">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-					<p>Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</p>
-					<p>(Partially derived from AC-17(8).)</p>
+			<add position="ending">
+				<part id="cm-7_fr" name="item" ns="fedramp">
+					<title>CM-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-7_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
+					</part>
+					<part id="cm-7_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>
+							Partially derived from AC-17(8).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-8 - -  -->
 		<alter control-id="cm-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: must be provided at least monthly or when there is a change.</p>
+			<add position="ending">
+				<part id="cm-8_fr" name="item" ns="fedramp">
+					<title>CM-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Must be provided at least monthly or when there is a change.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -768,29 +833,50 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - CP-1 - -  -->
 		<!-- - - CP-2 - -  -->
 		<alter control-id="cp-2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
+			<add position="ending">
+				<part id="cp-2_fr" name="item" ns="fedramp">
+					<title>CP-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-2_fr_smt.1" name="item">
+						<prop name="label">CP-2 Requirement:</prop>
+						<p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-3 - -  -->
 		<!-- - - CP-4 - -  -->
 		<alter control-id="cp-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a). Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
+			<add position="ending">
+				<part id="cp-4_fr" name="item" ns="fedramp">
+					<title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-4_fr_smt.a" name="item">
+						<prop name="label">CP-4(a) Requirement:</prop>
+						<p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-9 - -  -->
 		<alter control-id="cp-9">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-					<p>(a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.</p>
-					<p>(b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.</p>
-					<p>(c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.</p>
+			<add position="ending">
+				<part id="cp-9_fr" name="item" ns="fedramp">
+					<title>CP-9 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-9_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
+					</part>
+					<part id="cp-9_fr_smt.a" name="item">
+						<prop name="label">CP-9(a) Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
+					</part>
+					<part id="cp-9_fr_smt.b" name="item">
+						<prop name="label">CP-9(b)Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
+					</part>
+					<part id="cp-9_fr_smt.c" name="item">
+						<prop name="label">CP-9(c)Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -799,24 +885,57 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - IA-2 - -  -->
 		<!-- - - IA-2 (1) - -  -->
 		<!-- - - IA-2 (12) - -  -->
-		<alter subcontrol-id="ia-2.12">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
+		<alter control-id="ia-2.12">
+			<add position="ending">
+				<part id="ia-2.12_fr" name="item" ns="fedramp">
+					<title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-2.12_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-4 - -  -->
 		<alter control-id="ia-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(e) Requirement: The service provider defines time period of inactivity for device identifiers.</p>
-					<p>Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.</p>
+			<add position="ending">
+				<part id="ia-4_fr" name="item" ns="fedramp">
+					<title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-4_fr_smt.e" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines the time period of inactivity for device identifiers.</p>
+					</part>
+					<part id="ia-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-5 - -  -->
+		<alter control-id="ia-5">
+			<add position="ending">
+				<part id="ia-5_fr" name="item" ns="fedramp">
+					<title>IA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - IA-5 (1) - -  -->
+		<alter control-id="ia-5.1">
+			<add position="ending">
+				<part id="ia-5.1_fr" name="item" ns="fedramp">
+					<title>IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance (a) (d):</prop>
+						<p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - IA-5 (11) - -  -->
 		<!-- - - IA-6 - -  -->
 		<!-- - - IA-7 - -  -->
@@ -829,28 +948,43 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - IR-2 - -  -->
 		<!-- - - IR-4 - -  -->
 		<alter control-id="ir-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
+			<add position="ending">
+				<part id="ir-4_fr" name="item" ns="fedramp">
+					<title>IR-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-4_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IR-5 - -  -->
 		<!-- - - IR-6 - -  -->
 		<alter control-id="ir-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.</p>
+			<add position="ending">
+				<part id="ir-6_fr" name="item" ns="fedramp">
+					<title>IR-6 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IR-7 - -  -->
 		<!-- - - IR-8 - -  -->
 		<alter control-id="ir-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.</p>
-					<p>(e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.</p>
+			<add position="ending">
+				<part id="ir-8_fr" name="item" ns="fedramp">
+					<title>IR-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-8_fr_smt.b" name="item">
+						<prop name="label">(b) Requirement:</prop>
+						<p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
+					</part>
+					<part id="ir-8_fr_smt.e" name="item">
+						<prop name="label">(e) Requirement:</prop>
+						<p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -871,9 +1005,13 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - PE-13 - -  -->
 		<!-- - - PE-14 - -  -->
 		<alter control-id="pe-14">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a). Requirements:  The service provider measures temperature at server inlets and humidity levels by dew point.</p>
+			<add position="ending">
+				<part id="pe-14_fr" name="item" ns="fedramp">
+					<title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="pe-14_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -894,18 +1032,39 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - RA-2 - -  -->
 		<!-- - - RA-3 - -  -->
 		<alter control-id="ra-3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.</p>
+			<add position="ending">
+				<part id="ra-3_fr" name="item" ns="fedramp">
+					<title>RA-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
+					</part>
+					<part id="ra-3_fr_smt.d" name="item">
+						<prop name="label">RA-3 (d) Requirement:</prop>
+						<p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - RA-5 - -  -->
 		<alter control-id="ra-5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-					<p>(e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP</p>
+			<add>
+				<part id="ra-5_fr_smt.a" name="item">
+					<title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
+					<prop name="label">RA-5 (a)Requirement:</prop>
+					<p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
+				</part>
+				<part id="ra-5_fr_smt.e" name="item">
+					<title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
+					<prop name="label">RA-5 (e)Requirement:</prop>
+					<p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
+				</part>
+				<part id="ra-5_fr" name="item" ns="fedramp">
+					<title>RA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p><strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -914,33 +1073,58 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - SA-3 - -  -->
 		<!-- - - SA-4 - -  -->
 		<alter control-id="sa-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.</p>
-					<p>See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.</p>
+			<add position="ending">
+				<part id="sa-4_fr" name="item" ns="fedramp">
+					<title>SA-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-5 - -  -->
 		<!-- - - SA-9 - -  -->
+		<alter control-id="sa-9">
+			<add position="ending">
+				<part id="sa-9_fr" name="item" ns="fedramp">
+					<title>SA-9 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-9_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide <a href="https://www.FedRAMP.gov/documents">https://www.FedRAMP.gov/documents</a></p>
+					</part>
+					<part id="sa-9_fr_gdn.2" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance</p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - SC-1 - -  -->
 		<!-- - - SC-5 - -  -->
 		<!-- - - SC-7 - -  -->
 		<!-- - - SC-12 - -  -->
 		<alter control-id="sc-12">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Federally approved cryptography</p>
+			<add position="ending">
+				<part id="sc-12_fr" name="item" ns="fedramp">
+					<title>SC-12 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-12_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Federally approved and validated cryptography.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SC-13 - -  -->
 		<!-- - - SC-15 - -  -->
 		<alter control-id="sc-15">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Additional FedRAMP Requirements and Guidance:</p>
-					<p>Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+			<add position="ending">
+				<part id="sc-15_fr" name="item" ns="fedramp">
+					<title>SC-15 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-15_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -953,9 +1137,13 @@ For moderate risk law enforcement and high impact public trust level, a reinvest
 		<!-- - - SI-3 - -  -->
 		<!-- - - SI-4 - -  -->
 		<alter control-id="si-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: See US-CERT Incident Response Reporting Guidelines.</p>
+			<add position="ending">
+				<part id="si-4_fr" name="item" ns="fedramp">
+					<title>SI-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="si-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See US-CERT Incident Response Reporting Guidelines.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
diff --git a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
index 721000baa3..e62489295d 100644
--- a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
+++ b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
@@ -16,196 +16,236 @@
 			</org>
 		</party>
 	</metadata>
-	<import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml">
+	<import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
 		<include>
 			<call control-id="ac-1"/>
 			<call control-id="ac-2"/>
-			<call subcontrol-id="ac-2.1"/>
-			<call subcontrol-id="ac-2.2"/>
-			<call subcontrol-id="ac-2.3"/>
-			<call subcontrol-id="ac-2.4"/>
+			<call control-id="ac-2.1"/>
+			<call control-id="ac-2.2"/>
+			<call control-id="ac-2.3"/>
+			<call control-id="ac-2.4"/>
+			<call control-id="ac-2.5"/>
+			<call control-id="ac-2.7"/>
+			<call control-id="ac-2.9"/>
+			<call control-id="ac-2.10"/>
+			<call control-id="ac-2.12"/>
 			<call control-id="ac-3"/>
 			<call control-id="ac-4"/>
+			<call control-id="ac-4.21"/>
 			<call control-id="ac-5"/>
 			<call control-id="ac-6"/>
-			<call subcontrol-id="ac-6.1"/>
-			<call subcontrol-id="ac-6.2"/>
-			<call subcontrol-id="ac-6.5"/>
-			<call subcontrol-id="ac-6.9"/>
-			<call subcontrol-id="ac-6.10"/>
+			<call control-id="ac-6.1"/>
+			<call control-id="ac-6.2"/>
+			<call control-id="ac-6.5"/>
+			<call control-id="ac-6.9"/>
+			<call control-id="ac-6.10"/>
 			<call control-id="ac-7"/>
 			<call control-id="ac-8"/>
+			<call control-id="ac-10"/>
 			<call control-id="ac-11"/>
-			<call subcontrol-id="ac-11.1"/>
+			<call control-id="ac-11.1"/>
 			<call control-id="ac-12"/>
 			<call control-id="ac-14"/>
 			<call control-id="ac-17"/>
-			<call subcontrol-id="ac-17.1"/>
-			<call subcontrol-id="ac-17.2"/>
-			<call subcontrol-id="ac-17.3"/>
-			<call subcontrol-id="ac-17.4"/>
+			<call control-id="ac-17.1"/>
+			<call control-id="ac-17.2"/>
+			<call control-id="ac-17.3"/>
+			<call control-id="ac-17.4"/>
+			<call control-id="ac-17.9"/>
 			<call control-id="ac-18"/>
-			<call subcontrol-id="ac-18.1"/>
+			<call control-id="ac-18.1"/>
 			<call control-id="ac-19"/>
-			<call subcontrol-id="ac-19.5"/>
+			<call control-id="ac-19.5"/>
 			<call control-id="ac-20"/>
-			<call subcontrol-id="ac-20.1"/>
-			<call subcontrol-id="ac-20.2"/>
+			<call control-id="ac-20.1"/>
+			<call control-id="ac-20.2"/>
 			<call control-id="ac-21"/>
 			<call control-id="ac-22"/>
 			<call control-id="at-1"/>
 			<call control-id="at-2"/>
-			<call subcontrol-id="at-2.2"/>
+			<call control-id="at-2.2"/>
 			<call control-id="at-3"/>
 			<call control-id="at-4"/>
 			<call control-id="au-1"/>
 			<call control-id="au-2"/>
-			<call subcontrol-id="au-2.3"/>
+			<call control-id="au-2.3"/>
 			<call control-id="au-3"/>
-			<call subcontrol-id="au-3.1"/>
+			<call control-id="au-3.1"/>
 			<call control-id="au-4"/>
 			<call control-id="au-5"/>
 			<call control-id="au-6"/>
-			<call subcontrol-id="au-6.1"/>
-			<call subcontrol-id="au-6.3"/>
+			<call control-id="au-6.1"/>
+			<call control-id="au-6.3"/>
 			<call control-id="au-7"/>
-			<call subcontrol-id="au-7.1"/>
+			<call control-id="au-7.1"/>
 			<call control-id="au-8"/>
-			<call subcontrol-id="au-8.1"/>
+			<call control-id="au-8.1"/>
 			<call control-id="au-9"/>
-			<call subcontrol-id="au-9.4"/>
+			<call control-id="au-9.2"/>
+			<call control-id="au-9.4"/>
 			<call control-id="au-11"/>
 			<call control-id="au-12"/>
 			<call control-id="ca-1"/>
 			<call control-id="ca-2"/>
-			<call subcontrol-id="ca-2.1"/>
+			<call control-id="ca-2.1"/>
+			<call control-id="ca-2.2"/>
+			<call control-id="ca-2.3"/>
 			<call control-id="ca-3"/>
-			<call subcontrol-id="ca-3.5"/>
+			<call control-id="ca-3.3"/>
+			<call control-id="ca-3.5"/>
 			<call control-id="ca-5"/>
 			<call control-id="ca-6"/>
 			<call control-id="ca-7"/>
-			<call subcontrol-id="ca-7.1"/>
+			<call control-id="ca-7.1"/>
+			<call control-id="ca-8"/>
+			<call control-id="ca-8.1"/>
 			<call control-id="ca-9"/>
 			<call control-id="cm-1"/>
 			<call control-id="cm-2"/>
-			<call subcontrol-id="cm-2.1"/>
-			<call subcontrol-id="cm-2.3"/>
-			<call subcontrol-id="cm-2.7"/>
+			<call control-id="cm-2.1"/>
+			<call control-id="cm-2.2"/>
+			<call control-id="cm-2.3"/>
+			<call control-id="cm-2.7"/>
 			<call control-id="cm-3"/>
 			<call control-id="cm-4"/>
 			<call control-id="cm-5"/>
+			<call control-id="cm-5.1"/>
+			<call control-id="cm-5.3"/>
+			<call control-id="cm-5.5"/>
 			<call control-id="cm-6"/>
+			<call control-id="cm-6.1"/>
 			<call control-id="cm-7"/>
-			<call subcontrol-id="cm-7.1"/>
-			<call subcontrol-id="cm-7.2"/>
+			<call control-id="cm-7.1"/>
+			<call control-id="cm-7.2"/>
+			<call control-id="cm-7.5"/>
 			<call control-id="cm-8"/>
-			<call subcontrol-id="cm-8.1"/>
-			<call subcontrol-id="cm-8.3"/>
-			<call subcontrol-id="cm-8.5"/>
+			<call control-id="cm-8.1"/>
+			<call control-id="cm-8.3"/>
+			<call control-id="cm-8.5"/>
 			<call control-id="cm-9"/>
 			<call control-id="cm-10"/>
+			<call control-id="cm-10.1"/>
 			<call control-id="cm-11"/>
 			<call control-id="cp-1"/>
 			<call control-id="cp-2"/>
-			<call subcontrol-id="cp-2.1"/>
-			<call subcontrol-id="cp-2.3"/>
-			<call subcontrol-id="cp-2.8"/>
+			<call control-id="cp-2.1"/>
+			<call control-id="cp-2.2"/>
+			<call control-id="cp-2.3"/>
+			<call control-id="cp-2.8"/>
 			<call control-id="cp-3"/>
 			<call control-id="cp-4"/>
-			<call subcontrol-id="cp-4.1"/>
+			<call control-id="cp-4.1"/>
 			<call control-id="cp-6"/>
-			<call subcontrol-id="cp-6.1"/>
-			<call subcontrol-id="cp-6.3"/>
+			<call control-id="cp-6.1"/>
+			<call control-id="cp-6.3"/>
 			<call control-id="cp-7"/>
-			<call subcontrol-id="cp-7.1"/>
-			<call subcontrol-id="cp-7.2"/>
-			<call subcontrol-id="cp-7.3"/>
+			<call control-id="cp-7.1"/>
+			<call control-id="cp-7.2"/>
+			<call control-id="cp-7.3"/>
 			<call control-id="cp-8"/>
-			<call subcontrol-id="cp-8.1"/>
-			<call subcontrol-id="cp-8.2"/>
+			<call control-id="cp-8.1"/>
+			<call control-id="cp-8.2"/>
 			<call control-id="cp-9"/>
-			<call subcontrol-id="cp-9.1"/>
+			<call control-id="cp-9.1"/>
+			<call control-id="cp-9.3"/>
 			<call control-id="cp-10"/>
-			<call subcontrol-id="cp-10.2"/>
+			<call control-id="cp-10.2"/>
 			<call control-id="ia-1"/>
 			<call control-id="ia-2"/>
-			<call subcontrol-id="ia-2.1"/>
-			<call subcontrol-id="ia-2.2"/>
-			<call subcontrol-id="ia-2.3"/>
-			<call subcontrol-id="ia-2.8"/>
-			<call subcontrol-id="ia-2.11"/>
-			<call subcontrol-id="ia-2.12"/>
+			<call control-id="ia-2.1"/>
+			<call control-id="ia-2.2"/>
+			<call control-id="ia-2.3"/>
+			<call control-id="ia-2.5"/>
+			<call control-id="ia-2.8"/>
+			<call control-id="ia-2.11"/>
+			<call control-id="ia-2.12"/>
 			<call control-id="ia-3"/>
 			<call control-id="ia-4"/>
+			<call control-id="ia-4.4"/>
 			<call control-id="ia-5"/>
-			<call subcontrol-id="ia-5.1"/>
-			<call subcontrol-id="ia-5.2"/>
-			<call subcontrol-id="ia-5.3"/>
-			<call subcontrol-id="ia-5.11"/>
+			<call control-id="ia-5.1"/>
+			<call control-id="ia-5.2"/>
+			<call control-id="ia-5.3"/>
+			<call control-id="ia-5.4"/>
+			<call control-id="ia-5.6"/>
+			<call control-id="ia-5.7"/>
+			<call control-id="ia-5.11"/>
 			<call control-id="ia-6"/>
 			<call control-id="ia-7"/>
 			<call control-id="ia-8"/>
-			<call subcontrol-id="ia-8.1"/>
-			<call subcontrol-id="ia-8.2"/>
-			<call subcontrol-id="ia-8.3"/>
-			<call subcontrol-id="ia-8.4"/>
+			<call control-id="ia-8.1"/>
+			<call control-id="ia-8.2"/>
+			<call control-id="ia-8.3"/>
+			<call control-id="ia-8.4"/>
 			<call control-id="ir-1"/>
 			<call control-id="ir-2"/>
 			<call control-id="ir-3"/>
-			<call subcontrol-id="ir-3.2"/>
+			<call control-id="ir-3.2"/>
 			<call control-id="ir-4"/>
-			<call subcontrol-id="ir-4.1"/>
+			<call control-id="ir-4.1"/>
 			<call control-id="ir-5"/>
 			<call control-id="ir-6"/>
-			<call subcontrol-id="ir-6.1"/>
+			<call control-id="ir-6.1"/>
 			<call control-id="ir-7"/>
-			<call subcontrol-id="ir-7.1"/>
+			<call control-id="ir-7.1"/>
+			<call control-id="ir-7.2"/>
 			<call control-id="ir-8"/>
+			<call control-id="ir-9"/>
+			<call control-id="ir-9.1"/>
+			<call control-id="ir-9.2"/>
+			<call control-id="ir-9.3"/>
+			<call control-id="ir-9.4"/>
 			<call control-id="ma-1"/>
 			<call control-id="ma-2"/>
 			<call control-id="ma-3"/>
-			<call subcontrol-id="ma-3.1"/>
-			<call subcontrol-id="ma-3.2"/>
+			<call control-id="ma-3.1"/>
+			<call control-id="ma-3.2"/>
+			<call control-id="ma-3.3"/>
 			<call control-id="ma-4"/>
-			<call subcontrol-id="ma-4.2"/>
+			<call control-id="ma-4.2"/>
 			<call control-id="ma-5"/>
+			<call control-id="ma-5.1"/>
 			<call control-id="ma-6"/>
 			<call control-id="mp-1"/>
 			<call control-id="mp-2"/>
 			<call control-id="mp-3"/>
 			<call control-id="mp-4"/>
 			<call control-id="mp-5"/>
-			<call subcontrol-id="mp-5.4"/>
+			<call control-id="mp-5.4"/>
 			<call control-id="mp-6"/>
+			<call control-id="mp-6.2"/>
 			<call control-id="mp-7"/>
-			<call subcontrol-id="mp-7.1"/>
+			<call control-id="mp-7.1"/>
 			<call control-id="pe-1"/>
 			<call control-id="pe-2"/>
 			<call control-id="pe-3"/>
 			<call control-id="pe-4"/>
 			<call control-id="pe-5"/>
 			<call control-id="pe-6"/>
-			<call subcontrol-id="pe-6.1"/>
+			<call control-id="pe-6.1"/>
 			<call control-id="pe-8"/>
 			<call control-id="pe-9"/>
 			<call control-id="pe-10"/>
 			<call control-id="pe-11"/>
 			<call control-id="pe-12"/>
 			<call control-id="pe-13"/>
-			<call subcontrol-id="pe-13.3"/>
+			<call control-id="pe-13.2"/>
+			<call control-id="pe-13.3"/>
 			<call control-id="pe-14"/>
+			<call control-id="pe-14.2"/>
 			<call control-id="pe-15"/>
 			<call control-id="pe-16"/>
 			<call control-id="pe-17"/>
 			<call control-id="pl-1"/>
 			<call control-id="pl-2"/>
-			<call subcontrol-id="pl-2.3"/>
+			<call control-id="pl-2.3"/>
 			<call control-id="pl-4"/>
-			<call subcontrol-id="pl-4.1"/>
+			<call control-id="pl-4.1"/>
 			<call control-id="pl-8"/>
 			<call control-id="ps-1"/>
 			<call control-id="ps-2"/>
 			<call control-id="ps-3"/>
+			<call control-id="ps-3.3"/>
 			<call control-id="ps-4"/>
 			<call control-id="ps-5"/>
 			<call control-id="ps-6"/>
@@ -215,36 +255,54 @@
 			<call control-id="ra-2"/>
 			<call control-id="ra-3"/>
 			<call control-id="ra-5"/>
-			<call subcontrol-id="ra-5.1"/>
-			<call subcontrol-id="ra-5.2"/>
-			<call subcontrol-id="ra-5.5"/>
+			<call control-id="ra-5.1"/>
+			<call control-id="ra-5.2"/>
+			<call control-id="ra-5.3"/>
+			<call control-id="ra-5.5"/>
+			<call control-id="ra-5.6"/>
+			<call control-id="ra-5.8"/>
 			<call control-id="sa-1"/>
 			<call control-id="sa-2"/>
 			<call control-id="sa-3"/>
 			<call control-id="sa-4"/>
-			<call subcontrol-id="sa-4.1"/>
-			<call subcontrol-id="sa-4.2"/>
-			<call subcontrol-id="sa-4.9"/>
-			<call subcontrol-id="sa-4.10"/>
+			<call control-id="sa-4.1"/>
+			<call control-id="sa-4.2"/>
+			<call control-id="sa-4.8"/>
+			<call control-id="sa-4.9"/>
+			<call control-id="sa-4.10"/>
 			<call control-id="sa-5"/>
 			<call control-id="sa-8"/>
 			<call control-id="sa-9"/>
-			<call subcontrol-id="sa-9.2"/>
+			<call control-id="sa-9.1"/>
+			<call control-id="sa-9.2"/>
+			<call control-id="sa-9.4"/>
+			<call control-id="sa-9.5"/>
 			<call control-id="sa-10"/>
+			<call control-id="sa-10.1"/>
 			<call control-id="sa-11"/>
+			<call control-id="sa-11.1"/>
+			<call control-id="sa-11.2"/>
+			<call control-id="sa-11.8"/>
 			<call control-id="sc-1"/>
 			<call control-id="sc-2"/>
 			<call control-id="sc-4"/>
 			<call control-id="sc-5"/>
+			<call control-id="sc-6"/>
 			<call control-id="sc-7"/>
-			<call subcontrol-id="sc-7.3"/>
-			<call subcontrol-id="sc-7.4"/>
-			<call subcontrol-id="sc-7.5"/>
-			<call subcontrol-id="sc-7.7"/>
+			<call control-id="sc-7.3"/>
+			<call control-id="sc-7.4"/>
+			<call control-id="sc-7.5"/>
+			<call control-id="sc-7.7"/>
+			<call control-id="sc-7.8"/>
+			<call control-id="sc-7.12"/>
+			<call control-id="sc-7.13"/>
+			<call control-id="sc-7.18"/>
 			<call control-id="sc-8"/>
-			<call subcontrol-id="sc-8.1"/>
+			<call control-id="sc-8.1"/>
 			<call control-id="sc-10"/>
 			<call control-id="sc-12"/>
+			<call control-id="sc-12.2"/>
+			<call control-id="sc-12.3"/>
 			<call control-id="sc-13"/>
 			<call control-id="sc-15"/>
 			<call control-id="sc-17"/>
@@ -255,101 +313,49 @@
 			<call control-id="sc-22"/>
 			<call control-id="sc-23"/>
 			<call control-id="sc-28"/>
+			<call control-id="sc-28.1"/>
 			<call control-id="sc-39"/>
 			<call control-id="si-1"/>
 			<call control-id="si-2"/>
-			<call subcontrol-id="si-2.2"/>
+			<call control-id="si-2.2"/>
+			<call control-id="si-2.3"/>
 			<call control-id="si-3"/>
-			<call subcontrol-id="si-3.1"/>
-			<call subcontrol-id="si-3.2"/>
+			<call control-id="si-3.1"/>
+			<call control-id="si-3.2"/>
+			<call control-id="si-3.7"/>
 			<call control-id="si-4"/>
-			<call subcontrol-id="si-4.2"/>
-			<call subcontrol-id="si-4.4"/>
-			<call subcontrol-id="si-4.5"/>
+			<call control-id="si-4.1"/>
+			<call control-id="si-4.2"/>
+			<call control-id="si-4.4"/>
+			<call control-id="si-4.5"/>
+			<call control-id="si-4.14"/>
+			<call control-id="si-4.16"/>
+			<call control-id="si-4.23"/>
 			<call control-id="si-5"/>
+			<call control-id="si-6"/>
 			<call control-id="si-7"/>
-			<call subcontrol-id="si-7.1"/>
-			<call subcontrol-id="si-7.7"/>
+			<call control-id="si-7.1"/>
+			<call control-id="si-7.7"/>
 			<call control-id="si-8"/>
-			<call subcontrol-id="si-8.1"/>
-			<call subcontrol-id="si-8.2"/>
+			<call control-id="si-8.1"/>
+			<call control-id="si-8.2"/>
 			<call control-id="si-10"/>
 			<call control-id="si-11"/>
 			<call control-id="si-12"/>
 			<call control-id="si-16"/>
 		</include>
 	</import>
-  <import href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
+	<import href="FedRAMP_catalog.xml">
 		<include>
-			<call subcontrol-id="ac-2.5"/>
-			<call subcontrol-id="ac-2.7"/>
-			<call subcontrol-id="ac-2.9"/>
-			<call subcontrol-id="ac-2.10"/>
-			<call subcontrol-id="ac-2.12"/>
-			<call subcontrol-id="ac-4.21"/>
-			<call control-id="ac-10"/>
-			<call subcontrol-id="ac-17.9"/>
-			<call subcontrol-id="au-9.2"/>
-			<call subcontrol-id="ca-2.2"/>
-			<call subcontrol-id="ca-2.3"/>
-			<call subcontrol-id="ca-3.3"/>
-			<call control-id="ca-8"/>
-			<call subcontrol-id="ca-8.1"/>
-			<call subcontrol-id="cm-2.2"/>
-			<call subcontrol-id="cm-5.1"/>
-			<call subcontrol-id="cm-5.3"/>
-			<call subcontrol-id="cm-5.5"/>
-			<call subcontrol-id="cm-6.1"/>
-			<call subcontrol-id="cm-7.5"/>
-			<call subcontrol-id="cm-10.1"/>
-			<call subcontrol-id="cp-2.2"/>
-			<call subcontrol-id="cp-9.3"/>
-			<call subcontrol-id="ia-2.5"/>
-			<call subcontrol-id="ia-4.4"/>
-			<call subcontrol-id="ia-5.4"/>
-			<call subcontrol-id="ia-5.6"/>
-			<call subcontrol-id="ia-5.7"/>
-			<call subcontrol-id="ir-7.2"/>
-			<call control-id="ir-9"/>
-			<call subcontrol-id="ir-9.1"/>
-			<call subcontrol-id="ir-9.2"/>
-			<call subcontrol-id="ir-9.3"/>
-			<call subcontrol-id="ir-9.4"/>
-			<call subcontrol-id="ma-3.3"/>
-			<call subcontrol-id="ma-5.1"/>
-			<call subcontrol-id="mp-6.2"/>
-			<call subcontrol-id="pe-13.2"/>
-			<call subcontrol-id="pe-14.2"/>
-			<call subcontrol-id="ps-3.3"/>
-			<call subcontrol-id="ra-5.3"/>
-			<call subcontrol-id="ra-5.6"/>
-			<call subcontrol-id="ra-5.8"/>
-			<call subcontrol-id="sa-4.8"/>
-			<call subcontrol-id="sa-9.1"/>
-			<call subcontrol-id="sa-9.4"/>
-			<call subcontrol-id="sa-9.5"/>
-			<call subcontrol-id="sa-10.1"/>
-			<call subcontrol-id="sa-11.1"/>
-			<call subcontrol-id="sa-11.2"/>
-			<call subcontrol-id="sa-11.8"/>
-			<call control-id="sc-6"/>
-			<call subcontrol-id="sc-7.8"/>
-			<call subcontrol-id="sc-7.12"/>
-			<call subcontrol-id="sc-7.13"/>
-			<call subcontrol-id="sc-7.18"/>
-			<call subcontrol-id="sc-12.2"/>
-			<call subcontrol-id="sc-12.3"/>
-			<call subcontrol-id="sc-28.1"/>
-			<call subcontrol-id="si-2.3"/>
-			<call subcontrol-id="si-3.7"/>
-			<call subcontrol-id="si-4.1"/>
-			<call subcontrol-id="si-4.14"/>
-			<call subcontrol-id="si-4.16"/>
-			<call subcontrol-id="si-4.23"/>
-			<call control-id="si-6"/>
+			<call control-id="ac-8-fr"/>
+			<call control-id="ca-7-fr"/>
+			<call control-id="sc-15-fr"/>
 		</include>
 	</import>
-	<merge/>
+	<merge>
+		<combine method="keep" />
+		<as-is>true</as-is>
+	</merge>
 	<modify>
 		<!-- - - AC-1 - -  -->
 		<set param-id="ac-1_prm_2">
@@ -397,9 +403,6 @@
 		<set param-id="ac-7_prm_2">
 			<constraint>fifteen (15) minutes</constraint>
 		</set>
-		<set param-id="ac-7_prm_3">
-			<constraint>locks the account/node for thirty minutes</constraint>
-		</set>
 		<set param-id="ac-7_prm_4">
 			<constraint>locks the account/node for thirty minutes</constraint>
 		</set>
@@ -428,7 +431,7 @@
 		<!-- - - AC-17 (4) - -  -->
 		<!-- - - AC-17 (9) - -  -->
 		<set param-id="ac-17.9_prm_1">
-			<constraint>no greater than 15 minutes</constraint>
+			<constraint>fifteen 15 minutes</constraint>
 		</set>
 		<!-- - - AC-18 - -  -->
 		<!-- - - AC-18 (1) - -  -->
@@ -471,7 +474,7 @@
 		</set>
 		<!-- - - AU-2 - -  -->
 		<set param-id="au-2_prm_1">
-			<constraint>Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
+			<constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
 		</set>
 		<set param-id="au-2_prm_2">
 			<constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
@@ -504,7 +507,7 @@
 			<constraint>At least hourly</constraint>
 		</set>
 		<set param-id="au-8.1_prm_2">
-			<constraint>http://tfnistgov/tf-cgi/serverscgi</constraint>
+			<constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
 		</set>
 		<!-- - - AU-9 - -  -->
 		<!-- - - AU-9 (2) - -  -->
@@ -520,9 +523,6 @@
 		<set param-id="au-12_prm_1">
 			<constraint>all information system and network components where audit capability is deployed/available</constraint>
 		</set>
-		<set param-id="au-12_prm_2">
-			<constraint>all information system and network components where audit capability is deployed/available</constraint>
-		</set>
 		<!-- - - CA-1 - -  -->
 		<set param-id="ca-1_prm_2">
 			<constraint>at least every 3 years</constraint>
@@ -550,7 +550,7 @@
 			<constraint>any FedRAMP Accredited 3PAO</constraint>
 		</set>
 		<set param-id="ca-2.3_prm_3">
-			<constraint>the conditions of a Authorizing Official in the FedRAMP Repository</constraint>
+			<constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
 		</set>
 		<!-- - - CA-3 - -  -->
 		<set param-id="ca-3_prm_1">
@@ -567,7 +567,7 @@
 		</set>
 		<!-- - - CA-6 - -  -->
 		<set param-id="ca-6_prm_1">
-			<constraint>at least every three years or when a significant change occurs</constraint>
+			<constraint>at least every three (3) years or when a significant change occurs</constraint>
 		</set>
 		<!-- - - CA-7 - -  -->
 		<set param-id="ca-7_prm_4">
@@ -581,9 +581,6 @@
 		<set param-id="ca-8_prm_1">
 			<constraint>at least annually</constraint>
 		</set>
-		<set param-id="ca-8_prm_2">
-			<constraint>at least annually</constraint>
-		</set>
 		<!-- - - CA-8 (1) - -  -->
 		<!-- - - CA-9 - -  -->
 		<!-- - - CM-1 - -  -->
@@ -736,18 +733,9 @@
 			<constraint>contractors; foreign nationals</constraint>
 		</set>
 		<!-- - - IA-5 - -  -->
-		<set param-id="ia-5_prm_1">
-			<constraint>to include sixty (60) days for passwords</constraint>
-		</set>
 		<!-- - - IA-5 (1) - -  -->
-		<set param-id="ia-5.1_prm_1">
-			<constraint>case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters</constraint>
-		</set>
 		<set param-id="ia-5.1_prm_2">
-			<constraint>case sensitive, minimum of twelve characters, and at least one IA-5 (1) (b) [at least one</constraint>
-		</set>
-		<set param-id="ia-5.1_prm_3">
-			<constraint>one (1) day minimum, sixty (60) day maximum</constraint>
+			<constraint>at least one</constraint>
 		</set>
 		<set param-id="ia-5.1_prm_4">
 			<constraint>twenty four (24)</constraint>
@@ -853,7 +841,7 @@
 			<constraint>all types of digital and non-digital media with sensitive information</constraint>
 		</set>
 		<set param-id="mp-4_prm_2">
-			<constraint>FedRAMP Assignment: see additional FedRAMP requirements and guidance</constraint>
+			<constraint>see additional FedRAMP requirements and guidance</constraint>
 		</set>
 		<!-- - - MP-5 - -  -->
 		<set param-id="mp-5_prm_1">
@@ -866,7 +854,7 @@
 		<!-- - - MP-6 - -  -->
 		<!-- - - MP-6 (2) - -  -->
 		<set param-id="mp-6.2_prm_1">
-			<constraint>At least annually</constraint>
+			<constraint>at least annually</constraint>
 		</set>
 		<!-- - - MP-7 - -  -->
 		<!-- - - MP-7 (1) - -  -->
@@ -1012,10 +1000,10 @@
 		</set>
 		<!-- - - RA-5 - -  -->
 		<set param-id="ra-5_prm_1">
-			<constraint>monthly operating system/infrastructure; monthly web applications and database</constraint>
+			<constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
 		</set>
 		<set param-id="ra-5_prm_2">
-			<constraint>high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery</constraint>
+			<constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
 		</set>
 		<!-- - - RA-5 (1) - -  -->
 		<!-- - - RA-5 (2) - -  -->
@@ -1065,11 +1053,11 @@
 		<!-- - - SA-9 (1) - -  -->
 		<!-- - - SA-9 (2) - -  -->
 		<set param-id="sa-9.2_prm_1">
-			<constraint>All external systems where Federal information is processed or stored</constraint>
+			<constraint>all external systems where Federal information is processed or stored</constraint>
 		</set>
 		<!-- - - SA-9 (4) - -  -->
 		<set param-id="sa-9.4_prm_2">
-			<constraint>All external systems where Federal information is processed or stored</constraint>
+			<constraint>all external systems where Federal information is processed or stored</constraint>
 		</set>
 		<!-- - - SA-9 (5) - -  -->
 		<set param-id="sa-9.5_prm_1">
@@ -1232,36 +1220,55 @@
 		<!-- - - AC-2 (3) - -  -->
 		<!-- - - AC-2 (4) - -  -->
 		<!-- - - AC-2 (5) - -  -->
-		<alter subcontrol-id="ac-2.5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: should use a shorter timeframe than AC-12.</p>
+		<alter control-id="ac-2.5">
+			<add position="ending">
+				<part id="ac-2.5_fr" name="item" ns="fedramp">
+					<title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Should use a shorter timeframe than AC-12.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (7) - -  -->
 		<!-- - - AC-2 (9) - -  -->
-		<alter subcontrol-id="ac-2.9">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Required if shared/group accounts are deployed</p>
+		<alter control-id="ac-2.9">
+			<add position="ending">
+				<part id="ac-2.9_fr" name="item" ns="fedramp">
+					<title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.9_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Required if shared/group accounts are deployed</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (10) - -  -->
-		<alter subcontrol-id="ac-2.10">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Required if shared/group accounts are deployed</p>
+		<alter control-id="ac-2.10">
+			<add position="ending">
+				<part id="ac-2.10_fr" name="item" ns="fedramp">
+					<title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.10_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Required if shared/group accounts are deployed</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-2 (12) - -  -->
-		<alter subcontrol-id="ac-2.12">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Guidance: Required for privileged accounts.</p>
-					<p>(b) Guidance: Required for privileged accounts.</p>
+		<alter control-id="ac-2.12">
+			<add position="ending">
+				<part id="ac-2.12_fr" name="item" ns="fedramp">
+					<title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-2.12_fr_gdn.1" name="guidance">
+						<prop name="label">(a) Guidance:</prop>
+						<p>Required for privileged accounts.</p>
+					</part>
+					<part id="ac-2.12_fr_gdn.2" name="guidance">
+						<prop name="label">(b) Guidance:</prop>
+						<p>Required for privileged accounts.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1270,20 +1277,27 @@
 		<!-- - - AC-4 (21) - -  -->
 		<!-- - - AC-5 - -  -->
 		<alter control-id="ac-5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Additional FedRAMP Requirements and Guidance:</p>
-					<p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
+			<add position="ending">
+				<part id="ac-5_fr" name="item" ns="fedramp">
+					<title>AC-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AC-6 - -  -->
 		<!-- - - AC-6 (1) - -  -->
 		<!-- - - AC-6 (2) - -  -->
-		<alter subcontrol-id="ac-6.2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance:  Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
+		<alter control-id="ac-6.2">
+			<add position="ending">
+				<part id="ac-6.2_fr" name="item" ns="fedramp">
+					<title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-6.2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1293,11 +1307,21 @@
 		<!-- - - AC-7 - -  -->
 		<!-- - - AC-8 - -  -->
 		<alter control-id="ac-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB.</p>
-					<p>Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB.</p>
-					<p>Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. AC-8 Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.</p>
+			<add position="ending">
+				<part id="ac-8_fr" name="item" ns="fedramp">
+					<title>AC-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ac-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="ac-8_fr_smt.2" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
+					</part>
+					<part id="ac-8_fr_smt.3" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1329,26 +1353,42 @@
 		<!-- - - AU-1 - -  -->
 		<!-- - - AU-2 - -  -->
 		<alter control-id="au-2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+			<add position="ending">
+				<part id="au-2_fr" name="item" ns="fedramp">
+					<title>AU-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-2_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-2 (3) - -  -->
-		<alter subcontrol-id="au-2.3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB.</p>
+		<alter control-id="au-2.3">
+			<add position="ending">
+				<part id="au-2.3_fr" name="item" ns="fedramp">
+				<title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
+				<part id="au-2.3_fr_gdn.1" name="guidance">
+					<prop name="label">Guidance:</prop>
+					<p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
 				</part>
+			</part>
 			</add>
 		</alter>
 		<!-- - - AU-3 - -  -->
 		<!-- - - AU-3 (1) - -  -->
-		<alter subcontrol-id="au-3.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the JAB/AO. Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
+		<alter control-id="au-3.1">
+			<add position="ending">
+				<part id="au-3.1_fr" name="item" ns="fedramp">
+					<title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-3.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="au-3.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1356,9 +1396,13 @@
 		<!-- - - AU-5 - -  -->
 		<!-- - - AU-6 - -  -->
 		<alter control-id="au-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
+			<add position="ending">
+				<part id="au-6_fr" name="item" ns="fedramp">
+					<title>AU-6 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1368,12 +1412,22 @@
 		<!-- - - AU-7 (1) - -  -->
 		<!-- - - AU-8 - -  -->
 		<!-- - - AU-8 (1) - -  -->
-		<alter subcontrol-id="au-8.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-					<p>Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-					<p>Guidance: Synchronization of system clocks improves the accuracy of log analysis.</p>
+		<alter control-id="au-8.1">
+			<add position="ending">
+				<part id="au-8.1_fr" name="item" ns="fedramp">
+					<title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-8.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
+					</part>
+					<part id="au-8.1_fr_smt.2" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
+					</part>
+					<part id="au-8.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Synchronization of system clocks improves the accuracy of log analysis.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1382,79 +1436,141 @@
 		<!-- - - AU-9 (4) - -  -->
 		<!-- - - AU-11 - -  -->
 		<alter control-id="au-11">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
+			<add position="ending">
+				<part id="au-11_fr" name="item" ns="fedramp">
+					<title>AU-11 Additional FedRAMP Requirements and Guidance</title>
+					<part id="au-11_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - AU-12 - -  -->
 		<!-- - - CA-1 - -  -->
 		<!-- - - CA-2 - -  -->
+		<alter control-id="ca-2">
+			<add position="ending">
+				<part id="ca-2_fr" name="item" ns="fedramp">
+					<title>CA-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - CA-2 (1) - -  -->
-		<alter subcontrol-id="ca-2.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Must use an accredited 3PAO for JAB authorization</p>
+		<alter control-id="ca-2.1">
+			<add position="ending">
+				<part id="ca-2.1_fr" name="item" ns="fedramp">
+					<title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-2 (2) - -  -->
-		<alter subcontrol-id="ca-2.2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: To include 'announced', 'vulnerability scanning'</p>
+		<alter control-id="ca-2.2">
+			<add position="ending">
+				<part id="ca-2.2_fr" name="item" ns="fedramp">
+					<title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-2.2_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>To include 'announced', 'vulnerability scanning'</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-2 (3) - -  -->
 		<!-- - - CA-3 - -  -->
 		<!-- - - CA-3 (3) - -  -->
-		<alter subcontrol-id="ca-3.3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
+		<alter control-id="ca-3.3">
+			<add position="ending">
+				<part id="ca-3.3_fr" name="item" ns="fedramp">
+					<title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-3.3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-3 (5) - -  -->
-		<alter subcontrol-id="ca-3.5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
+		<alter control-id="ca-3.5">
+			<add position="ending">
+				<part id="ca-3.5_fr" name="item" ns="fedramp">
+					<title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-3.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-5 - -  -->
 		<alter control-id="ca-5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Requirement: POA&amp;Ms must be provided at least monthly.</p>
+			<add position="ending">
+				<part id="ca-5_fr" name="item" ns="fedramp">
+					<title>CA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-5_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
+					</part>
+					<part id="ca-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-6 - -  -->
 		<alter control-id="ca-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>-c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
+			<add position="ending">
+				<part id="ca-6_fr" name="item" ns="fedramp">
+					<title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-7 - -  -->
 		<alter control-id="ca-7">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually</p>
-					<p>Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-					<p>Operating System Scans: at least monthly</p>
-					<p>Database and Web Application Scans: at least monthly</p>
-					<p>All scans performed by Independent Assessor: at least annually</p>
+			<add position="ending">
+				<part id="ca-7_fr" name="item" ns="fedramp">
+					<title>CA-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-7_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
+					</part>
+					<part id="ca-7_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
+					</part>
+					<part id="ca-7_fr_gdn.2" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a></p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CA-7 (1) - -  -->
 		<!-- - - CA-8 - -  -->
+		<alter control-id="ca-8">
+			<add position="ending">
+				<part id="ca-8_fr" name="item" ns="fedramp">
+					<title>CA-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ca-8_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href='https://www.FedRAMP.gov/documents/'>https://www.FedRAMP.gov/documents/</a></p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - CA-8 (1) - -  -->
 		<!-- - - CA-9 - -  -->
 		<!-- - - CM-1 - -  -->
@@ -1465,10 +1581,17 @@
 		<!-- - - CM-2 (7) - -  -->
 		<!-- - - CM-3 - -  -->
 		<alter control-id="cm-3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-					<p>-e Guidance: In accordance with record retention policies and procedures.</p>
+			<add position="ending">
+				<part id="cm-3_fr" name="item" ns="fedramp">
+					<title>CM-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-3_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
+					</part>
+					<part id="cm-3_fr_gdn.1" name="guidance">
+						<prop name="label">(e) Guidance:</prop>
+						<p>In accordance with record retention policies and procedures.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1476,50 +1599,78 @@
 		<!-- - - CM-5 - -  -->
 		<!-- - - CM-5 (1) - -  -->
 		<!-- - - CM-5 (3) - -  -->
-		<alter subcontrol-id="cm-5.3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
+		<alter control-id="cm-5.3">
+			<add position="ending">
+				<part id="cm-5.3_fr" name="item" ns="fedramp">
+					<title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-5.3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-5 (5) - -  -->
 		<!-- - - CM-6 - -  -->
 		<alter control-id="cm-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.</p>
-					<p>(a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).</p>
-					<p>(a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</p>
+			<add position="ending">
+				<part id="cm-6_fr" name="item" ns="fedramp">
+					<title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-6_fr_smt.1" name="item">
+						<prop name="label">Requirement 1:</prop>
+						<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
+					</part>
+					<part id="cm-6_fr_smt.2" name="item">
+						<prop name="label">Requirement 2:</prop>
+						<p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
+					</part>
+					<part id="cm-6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-6 (1) - -  -->
 		<!-- - - CM-7 - -  -->
 		<alter control-id="cm-7">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-					<p>Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</p>
-					<p>(Partially derived from AC-17(8).)</p>
+			<add position="ending">
+				<part id="cm-7_fr" name="item" ns="fedramp">
+					<title>CM-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-7_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
+					</part>
+					<part id="cm-7_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-7 (1) - -  -->
 		<!-- - - CM-7 (2) - -  -->
-		<alter subcontrol-id="cm-7.2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
+		<alter control-id="cm-7.2">
+			<add position="ending">
+				<part id="cm-7.2_fr" name="item" ns="fedramp">
+					<title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-7.2_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CM-7 (5) - -  -->
 		<!-- - - CM-8 - -  -->
 		<alter control-id="cm-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: must be provided at least monthly or when there is a change.</p>
+			<add position="ending">
+				<part id="cm-8_fr" name="item" ns="fedramp">
+					<title>CM-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cm-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Must be provided at least monthly or when there is a change.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1533,9 +1684,13 @@
 		<!-- - - CP-1 - -  -->
 		<!-- - - CP-2 - -  -->
 		<alter control-id="cp-2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
+			<add position="ending">
+				<part id="cp-2_fr" name="item" ns="fedramp">
+					<title>CP-2 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-2_fr_smt.1" name="item">
+						<prop name="label">CP-2 Requirement:</prop>
+						<p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1546,9 +1701,13 @@
 		<!-- - - CP-3 - -  -->
 		<!-- - - CP-4 - -  -->
 		<alter control-id="cp-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a). Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
+			<add position="ending">
+				<part id="cp-4_fr" name="item" ns="fedramp">
+					<title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-4_fr_smt.a" name="item">
+						<prop name="label">CP-4(a) Requirement:</prop>
+						<p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1558,17 +1717,25 @@
 		<!-- - - CP-6 (3) - -  -->
 		<!-- - - CP-7 - -  -->
 		<alter control-id="cp-7">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a). Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+			<add position="ending">
+				<part id="cp-7_fr" name="item" ns="fedramp">
+					<title>CP-7 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-7_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - CP-7 (1) - -  -->
-		<alter subcontrol-id="cp-7.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
+		<alter control-id="cp-7.1">
+			<add position="ending">
+				<part id="cp-7.1_fr" name="item" ns="fedramp">
+					<title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-7.1_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1576,9 +1743,13 @@
 		<!-- - - CP-7 (3) - -  -->
 		<!-- - - CP-8 - -  -->
 		<alter control-id="cp-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+			<add position="ending">
+				<part id="cp-8_fr" name="item" ns="fedramp">
+					<title>CP-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1586,12 +1757,25 @@
 		<!-- - - CP-8 (2) - -  -->
 		<!-- - - CP-9 - -  -->
 		<alter control-id="cp-9">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-					<p>(a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.</p>
-					<p>(b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.</p>
-					<p>(c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.</p>
+			<add position="ending">
+				<part id="cp-9_fr" name="item" ns="fedramp">
+					<title>CP-9 Additional FedRAMP Requirements and Guidance</title>
+					<part id="cp-9_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
+					</part>
+					<part id="cp-9_fr_smt.a" name="item">
+						<prop name="label">CP-9(a) Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
+					</part>
+					<part id="cp-9_fr_smt.b" name="item">
+						<prop name="label">CP-9(b)Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
+					</part>
+					<part id="cp-9_fr_smt.c" name="item">
+						<prop name="label">CP-9(c)Requirement:</prop>
+						<p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1607,41 +1791,82 @@
 		<!-- - - IA-2 (5) - -  -->
 		<!-- - - IA-2 (8) - -  -->
 		<!-- - - IA-2 (11) - -  -->
-		<alter subcontrol-id="ia-2.11">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
+		<alter control-id="ia-2.11">
+			<add position="ending">
+				<part id="ia-2.11_fr" name="item" ns="fedramp">
+					<title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-2.11_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-2 (12) - -  -->
-		<alter subcontrol-id="ia-2.12">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
+		<alter control-id="ia-2.12">
+			<add position="ending">
+				<part id="ia-2.12_fr" name="item" ns="fedramp">
+					<title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-2.12_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-3 - -  -->
 		<!-- - - IA-4 - -  -->
 		<alter control-id="ia-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(e) Requirement: The service provider defines time period of inactivity for device identifiers.</p>
-					<p>Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.</p>
+			<add position="ending">
+				<part id="ia-4_fr" name="item" ns="fedramp">
+					<title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-4_fr_smt.e" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines the time period of inactivity for device identifiers.</p>
+					</part>
+					<part id="ia-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - IA-4 (4) - -  -->
 		<!-- - - IA-5 - -  -->
+		<alter control-id="ia-5">
+			<add position="ending">
+				<part id="ia-5_fr" name="item" ns="fedramp">
+					<title>IA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - IA-5 (1) - -  -->
+		<alter control-id="ia-5.1">
+			<add position="ending">
+				<part id="ia-5.1_fr" name="item" ns="fedramp">
+					<title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5.1_fr_gdn.1" name="guidance">
+						<prop name="label">(a) (d) Guidance:</prop>
+						<p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
+					</part>
+				</part>
+			</add>
+		</alter>
 		<!-- - - IA-5 (2) - -  -->
 		<!-- - - IA-5 (3) - -  -->
 		<!-- - - IA-5 (4) - -  -->
-		<alter subcontrol-id="ia-5.4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Additional FedRAMP Requirements and Guidance: Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
+		<alter control-id="ia-5.4">
+			<add position="ending">
+				<part id="ia-5.4_fr" name="item" ns="fedramp">
+					<title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ia-5.4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1659,20 +1884,27 @@
 		<!-- - - IR-2 - -  -->
 		<!-- - - IR-3 - -  -->
 		<alter control-id="ir-3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>-2 Requirement 1: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended).</p>
-					<p>-2 Requirement 2: For JAB Authorization, the service provider provides test plans to the JAB/AO annually.</p>
-					<p>-2 Requirement 3: Test plans are approved and accepted by the Authorizing Official (AO) prior to test commencing.</p>
+			<add position="ending">
+				<part id="ir-3_fr" name="item" ns="fedramp">
+					<title>IR-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-3_fr_smt.1" name="item">
+						<prop name="label">IR-3 -2 Requirement:</prop>
+						<p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
+					</part>
 				</part>
+				
 			</add>
 		</alter>
 		<!-- - - IR-3 (2) - -  -->
 		<!-- - - IR-4 - -  -->
 		<alter control-id="ir-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
+			<add position="ending">
+				<part id="ir-4_fr" name="item" ns="fedramp">
+					<title>IR-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-4_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1680,9 +1912,13 @@
 		<!-- - - IR-5 - -  -->
 		<!-- - - IR-6 - -  -->
 		<alter control-id="ir-6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.</p>
+			<add position="ending">
+				<part id="ir-6_fr" name="item" ns="fedramp">
+					<title>IR-6 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-6_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1692,10 +1928,17 @@
 		<!-- - - IR-7 (2) - -  -->
 		<!-- - - IR-8 - -  -->
 		<alter control-id="ir-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.</p>
-					<p>(e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.</p>
+			<add position="ending">
+				<part id="ir-8_fr" name="item" ns="fedramp">
+					<title>IR-8 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ir-8_fr_smt.b" name="item">
+						<prop name="label">(b) Requirement:</prop>
+						<p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
+					</part>
+					<part id="ir-8_fr_smt.e" name="item">
+						<prop name="label">(e) Requirement:</prop>
+						<p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1714,10 +1957,14 @@
 		<!-- - - MA-4 (2) - -  -->
 		<!-- - - MA-5 - -  -->
 		<!-- - - MA-5 (1) - -  -->
-		<alter subcontrol-id="ma-5.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline</p>
+		<alter control-id="ma-5.1">
+			<add position="ending">
+				<part id="ma-5.1_fr" name="item" ns="fedramp">
+					<title>MA-5 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ma-5.1_fr_smt.b" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1726,36 +1973,51 @@
 		<!-- - - MP-2 - -  -->
 		<!-- - - MP-3 - -  -->
 		<alter control-id="mp-3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Guidance: Second parameter not-applicable</p>
+			<add position="ending">
+				<part id="mp-3_fr" name="item" ns="fedramp">
+					<title>MP-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-3_fr_gdn.b" name="guidance">
+						<prop name="label">(b) Guidance:</prop>
+						<p>Second parameter not-applicable</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-4 - -  -->
 		<alter control-id="mp-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines controlled areas within facilities where the information and information system reside.</p>
+			<add position="ending">
+				<part id="mp-4_fr" name="item" ns="fedramp">
+					<title>MP-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-4_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-5 - -  -->
 		<alter control-id="mp-5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Additional FedRAMP Requirements and Guidance:</p>
-					<p>Requirement: The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.</p>
+			<add position="ending">
+				<part id="mp-5_fr" name="item" ns="fedramp">
+					<title>MP-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-5_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - MP-5 (4) - -  -->
 		<!-- - - MP-6 - -  -->
 		<!-- - - MP-6 (2) - -  -->
-		<alter subcontrol-id="mp-6.2">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Equipment and procedures may be tested or validated for effectiveness</p>
+		<alter control-id="mp-6.2">
+			<add position="ending">
+				<part id="mp-6.2_fr" name="item" ns="fedramp">
+					<title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
+					<part id="mp-6.2_fr_gdn.a" name="guidance">
+						<prop name="label">(a) Requirement:</prop>
+						<p>Equipment and procedures may be tested or validated for effectiveness</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1778,9 +2040,13 @@
 		<!-- - - PE-13 (3) - -  -->
 		<!-- - - PE-14 - -  -->
 		<alter control-id="pe-14">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a). Requirements:  The service provider measures temperature at server inlets and humidity levels by dew point.</p>
+			<add position="ending">
+				<part id="pe-14_fr" name="item" ns="fedramp">
+					<title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
+					<part id="pe-14_fr_smt.a" name="item">
+						<prop name="label">(a) Requirement:</prop>
+						<p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1795,9 +2061,13 @@
 		<!-- - - PL-4 (1) - -  -->
 		<!-- - - PL-8 - -  -->
 		<alter control-id="pl-8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
+			<add position="ending">
+				<part id="pl-8_fr" name="item" ns="fedramp">
+					<title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
+					<part id="pl-8_fr_gdn.b" name="guidance">
+						<prop name="label">(b) Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1814,19 +2084,39 @@
 		<!-- - - RA-2 - -  -->
 		<!-- - - RA-3 - -  -->
 		<alter control-id="ra-3">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.</p>
-					<p>(d) Requirement: Include all Authoring Officials and FedRAMP ISSOs.</p>
+			<add position="ending">
+				<part id="ra-3_fr" name="item" ns="fedramp">
+					<title>RA-3 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-3_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
+					</part>
+					<part id="ra-3_fr_smt.d" name="item">
+						<prop name="label">RA-3 (d) Requirement:</prop>
+						<p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - RA-5 - -  -->
 		<alter control-id="ra-5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-					<p>(e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP</p>
+			<add position="ending">
+				<part id="ra-5_fr_smt.a" name="item">
+					<title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
+					<prop name="label">RA-5 (a)Requirement:</prop>
+					<p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
+				</part>
+				<part id="ra-5_fr_smt.e" name="item">
+					<title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
+					<prop name="label">RA-5 (e)Requirement:</prop>
+					<p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
+				</part>
+				<part id="ra-5_fr" name="item" ns="fedramp">
+					<title>RA-5 Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p><strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1835,18 +2125,30 @@
 		<!-- - - RA-5 (3) - -  -->
 		<!-- - - RA-5 (5) - -  -->
 		<!-- - - RA-5 (6) - -  -->
-		<alter subcontrol-id="ra-5.6">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
+		<alter control-id="ra-5.6">
+			<add position="ending">
+				<part id="ra-5.6_fr" name="item" ns="fedramp">
+					<title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5.6_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - RA-5 (8) - -  -->
-		<alter subcontrol-id="ra-5.8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirements: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
+		<alter control-id="ra-5.8">
+			<add position="ending">
+				<part id="ra-5.8_fr" name="item" ns="fedramp">
+					<title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
+					<part id="ra-5.8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>This enhancement is required for all high vulnerability scan findings.</p>
+					</part>
+					<part id="ra-5.8_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1855,20 +2157,27 @@
 		<!-- - - SA-3 - -  -->
 		<!-- - - SA-4 - -  -->
 		<alter control-id="sa-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.</p>
-					<p>See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.</p>
+			<add position="ending">
+				<part id="sa-4_fr" name="item" ns="fedramp">
+					<title>SA-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-4 (1) - -  -->
 		<!-- - - SA-4 (2) - -  -->
 		<!-- - - SA-4 (8) - -  -->
-		<alter subcontrol-id="sa-4.8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
+		<alter control-id="sa-4.8">
+			<add position="ending">
+				<part id="sa-4.8_fr" name="item" ns="fedramp">
+					<title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-4.8_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1883,32 +2192,44 @@
 		<!-- - - SA-9 (5) - -  -->
 		<!-- - - SA-10 - -  -->
 		<alter control-id="sa-10">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>(e)  Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
+			<add position="ending">
+				<part id="sa-10_fr" name="item" ns="fedramp">
+					<title>SA-10 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-10_fr_smt.1" name="item">
+						<prop name="label">(e)  Requirement:</prop>
+						<p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-10 (1) - -  -->
 		<!-- - - SA-11 - -  -->
 		<!-- - - SA-11 (1) - -  -->
-		<alter subcontrol-id="sa-11.1">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+		<alter control-id="sa-11.1">
+			<add position="ending">
+				<part id="sa-11.1_fr" name="item" ns="fedramp">
+					<title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-11.1_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
 		<!-- - - SA-11 (2) - -  -->
 		<!-- - - SA-11 (8) - -  -->
-		<alter subcontrol-id="sa-11.8">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+		<alter control-id="sa-11.8">
+			<add position="ending">
+				<part id="sa-11.8_fr" name="item" ns="fedramp">
+					<title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sa-11.8_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
-		<!-- - - SC-1 - -  -->
+			<!-- - - SC-1 - -  -->
 		<!-- - - SC-2 - -  -->
 		<!-- - - SC-4 - -  -->
 		<!-- - - SC-5 - -  -->
@@ -1921,10 +2242,14 @@
 		<!-- - - SC-7 (8) - -  -->
 		<!-- - - SC-7 (12) - -  -->
 		<!-- - - SC-7 (13) - -  -->
-		<alter subcontrol-id="sc-7.13">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
+		<alter control-id="sc-7.13">
+			<add position="ending">
+				<part id="sc-7.13_fr" name="item" ns="fedramp">
+					<title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-7.13_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1934,9 +2259,13 @@
 		<!-- - - SC-10 - -  -->
 		<!-- - - SC-12 - -  -->
 		<alter control-id="sc-12">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: Federally approved cryptography</p>
+			<add position="ending">
+				<part id="sc-12_fr" name="item" ns="fedramp">
+					<title>SC-12 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-12_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>Federally approved and validated cryptography.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1945,10 +2274,13 @@
 		<!-- - - SC-13 - -  -->
 		<!-- - - SC-15 - -  -->
 		<alter control-id="sc-15">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Additional FedRAMP Requirements and Guidance:</p>
-					<p>Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+			<add position="ending">
+				<part id="sc-15_fr" name="item" ns="fedramp">
+					<title>SC-15 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-15_fr_smt.1" name="item">
+						<prop name="label">Requirement:</prop>
+						<p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1961,9 +2293,13 @@
 		<!-- - - SC-23 - -  -->
 		<!-- - - SC-28 - -  -->
 		<alter control-id="sc-28">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
+			<add position="ending">
+				<part id="sc-28_fr" name="item" ns="fedramp">
+					<title>SC-28 Additional FedRAMP Requirements and Guidance</title>
+					<part id="sc-28_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1979,9 +2315,13 @@
 		<!-- - - SI-3 (7) - -  -->
 		<!-- - - SI-4 - -  -->
 		<alter control-id="si-4">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: See US-CERT Incident Response Reporting Guidelines.</p>
+			<add position="ending">
+				<part id="si-4_fr" name="item" ns="fedramp">
+					<title>SI-4 Additional FedRAMP Requirements and Guidance</title>
+					<part id="si-4_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>See US-CERT Incident Response Reporting Guidelines.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
@@ -1989,10 +2329,14 @@
 		<!-- - - SI-4 (2) - -  -->
 		<!-- - - SI-4 (4) - -  -->
 		<!-- - - SI-4 (5) - -  -->
-		<alter subcontrol-id="si-4.5">
-			<add position="starting">
-				<part name="guidance" ns="FedRAMP">
-					<p>Guidance: In accordance with the incident response plan.</p>
+		<alter control-id="si-4.5">
+			<add position="ending">
+				<part id="si-4.5_fr" name="item" ns="fedramp">
+					<title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
+					<part id="si-4.5_fr_gdn.1" name="guidance">
+						<prop name="label">Guidance:</prop>
+						<p>In accordance with the incident response plan.</p>
+					</part>
 				</part>
 			</add>
 		</alter>
diff --git a/src/content/fedramp.gov/xml/FedRAMP_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_catalog.xml
new file mode 100644
index 0000000000..0387cb5828
--- /dev/null
+++ b/src/content/fedramp.gov/xml/FedRAMP_catalog.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+         id="uuid-20190723-133200-001">
+   <metadata>
+      <title>FedRAMP Additional Controls</title>
+      <last-modified-date>2019-07-23T13:20:00.000-04:00</last-modified-date>
+      <version>1.0</version>
+      <oscal-version>1.0.0</oscal-version>
+      <prop name="keywords">FedRAMP, Assurance, computer security, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements</prop>
+      <role id="creator">
+         <title>Document creator</title>
+      </role>
+      <role id="contact">
+         <title>Contact</title>
+      </role>
+      <party id="fedramp" role-id="creator contact">
+         <org>
+            <org-name>Federal Risk and Authorization Management Program (FedRAMP)</org-name>
+            <email>info@fedramp.gov</email>
+            <url>https://fedramp.gov</url>
+         </org>
+      </party>
+      <notes>
+         <p>No notes.</p>
+      </notes>
+   </metadata>
+   <group class="family" id="ac">
+      <title>Access Control</title>
+      <control class="SP800-53" id="ac-8">
+         <title>System Use Notification</title>
+         <control class="SP800-53" id="ac-8.fr">
+            <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
+            <prop name="label">AC-8 Req</prop>
+            <part id="ac-8.fr_smt.1" name="item">
+               <prop name="label">Requirement:</prop>
+               <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control.  The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
+            </part>
+            <part id="ac-8.fr_smt.2" name="item">
+               <prop name="label">Requirement:</prop>
+               <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check.  The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.  If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
+            </part>
+            <part id="ac-8.fr_smt.3" name="item">
+               <prop name="label">Requirement:</prop>
+               <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider.  The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
+            </part>
+         </control>
+      </control>
+   </group>
+   <group class="family" id="ca">
+      <title>CA-7 Security Assessment and Authorization</title>
+      <control class="SP800-53" id="ca-7">
+         <title>Continuous Monitoring</title>
+         <control class="SP800-53-enhancement" id="ca-7.fr">
+            <title>Additional FedRAMP Requirements and Guidance</title>
+            <prop name="label">CA-7 Req</prop>
+            <part id="ca-7.fr_smt.1" name="item">
+               <prop name="label">Requirement 1</prop>
+               <p>Operating System Scans: at least monthly</p>
+            </part>
+            <part id="ca-7.fr_smt.2" name="item">
+               <prop name="label">Requirement 2</prop>
+               <p>Database and Web Application Scans: at least monthly</p>
+            </part>
+            <part id="ca-7.fr_smt.3" name="item">
+               <prop name="label">Requirement 3</prop>
+               <p>All scans performed by Independent Assessor: at least annually</p>
+            </part>
+            <part id="ca-7.fr_gdn.1" name="guidance">
+               <p>CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&amp;M updates.</p>
+            </part>
+            <part id="ca-7.fr_gdn.2" name="guidance">
+               <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a></p>
+            </part>
+         </control>
+      </control>
+   </group>
+   <group class="family" id="sc">
+      <title>System and Communications Protection</title>
+      <control class="SP800-53" id="sc-15">
+         <title>System and Communications Protection Policy and Procedures</title>
+         <control class="SP800-53-enhancement" id="sc-15.fr">
+            <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
+            <prop name="label">SC-15 Req</prop>
+            <part id="sc-15.fr_smt" name="item">
+               <prop name="label">Requirement</prop>
+               <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
+            </part>
+         </control>
+     </control>
+   </group>
+   <back-matter>
+      <resource id="fedramp-conmon-guide">
+         <rlink media-type="application/pdf"
+            href="https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf"/>
+      </resource>
+   </back-matter>
+</catalog>
\ No newline at end of file
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
index d9c4c82332..e3bf8899da 100644
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
+++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
@@ -33,260 +33,260 @@
       <include>
          <call control-id="ac-1"/>
          <call control-id="ac-2"/>
-         <call subcontrol-id="ac-2.1"/>
-         <call subcontrol-id="ac-2.2"/>
-         <call subcontrol-id="ac-2.3"/>
-         <call subcontrol-id="ac-2.4"/>
-         <call subcontrol-id="ac-2.5"/>
-         <call subcontrol-id="ac-2.11"/>
-         <call subcontrol-id="ac-2.12"/>
-         <call subcontrol-id="ac-2.13"/>
+         <call control-id="ac-2.1"/>
+         <call control-id="ac-2.2"/>
+         <call control-id="ac-2.3"/>
+         <call control-id="ac-2.4"/>
+         <call control-id="ac-2.5"/>
+         <call control-id="ac-2.11"/>
+         <call control-id="ac-2.12"/>
+         <call control-id="ac-2.13"/>
          <call control-id="ac-3"/>
          <call control-id="ac-4"/>
          <call control-id="ac-5"/>
          <call control-id="ac-6"/>
-         <call subcontrol-id="ac-6.1"/>
-         <call subcontrol-id="ac-6.2"/>
-         <call subcontrol-id="ac-6.3"/>
-         <call subcontrol-id="ac-6.5"/>
-         <call subcontrol-id="ac-6.9"/>
-         <call subcontrol-id="ac-6.10"/>
+         <call control-id="ac-6.1"/>
+         <call control-id="ac-6.2"/>
+         <call control-id="ac-6.3"/>
+         <call control-id="ac-6.5"/>
+         <call control-id="ac-6.9"/>
+         <call control-id="ac-6.10"/>
          <call control-id="ac-7"/>
          <call control-id="ac-8"/>
          <call control-id="ac-10"/>
          <call control-id="ac-11"/>
-         <call subcontrol-id="ac-11.1"/>
+         <call control-id="ac-11.1"/>
          <call control-id="ac-12"/>
          <call control-id="ac-14"/>
          <call control-id="ac-17"/>
-         <call subcontrol-id="ac-17.1"/>
-         <call subcontrol-id="ac-17.2"/>
-         <call subcontrol-id="ac-17.3"/>
-         <call subcontrol-id="ac-17.4"/>
+         <call control-id="ac-17.1"/>
+         <call control-id="ac-17.2"/>
+         <call control-id="ac-17.3"/>
+         <call control-id="ac-17.4"/>
          <call control-id="ac-18"/>
-         <call subcontrol-id="ac-18.1"/>
-         <call subcontrol-id="ac-18.4"/>
-         <call subcontrol-id="ac-18.5"/>
+         <call control-id="ac-18.1"/>
+         <call control-id="ac-18.4"/>
+         <call control-id="ac-18.5"/>
          <call control-id="ac-19"/>
-         <call subcontrol-id="ac-19.5"/>
+         <call control-id="ac-19.5"/>
          <call control-id="ac-20"/>
-         <call subcontrol-id="ac-20.1"/>
-         <call subcontrol-id="ac-20.2"/>
+         <call control-id="ac-20.1"/>
+         <call control-id="ac-20.2"/>
          <call control-id="ac-21"/>
          <call control-id="ac-22"/>
          <call control-id="at-1"/>
          <call control-id="at-2"/>
-         <call subcontrol-id="at-2.2"/>
+         <call control-id="at-2.2"/>
          <call control-id="at-3"/>
          <call control-id="at-4"/>
          <call control-id="au-1"/>
          <call control-id="au-2"/>
-         <call subcontrol-id="au-2.3"/>
+         <call control-id="au-2.3"/>
          <call control-id="au-3"/>
-         <call subcontrol-id="au-3.1"/>
-         <call subcontrol-id="au-3.2"/>
+         <call control-id="au-3.1"/>
+         <call control-id="au-3.2"/>
          <call control-id="au-4"/>
          <call control-id="au-5"/>
-         <call subcontrol-id="au-5.1"/>
-         <call subcontrol-id="au-5.2"/>
+         <call control-id="au-5.1"/>
+         <call control-id="au-5.2"/>
          <call control-id="au-6"/>
-         <call subcontrol-id="au-6.1"/>
-         <call subcontrol-id="au-6.3"/>
-         <call subcontrol-id="au-6.5"/>
-         <call subcontrol-id="au-6.6"/>
+         <call control-id="au-6.1"/>
+         <call control-id="au-6.3"/>
+         <call control-id="au-6.5"/>
+         <call control-id="au-6.6"/>
          <call control-id="au-7"/>
-         <call subcontrol-id="au-7.1"/>
+         <call control-id="au-7.1"/>
          <call control-id="au-8"/>
-         <call subcontrol-id="au-8.1"/>
+         <call control-id="au-8.1"/>
          <call control-id="au-9"/>
-         <call subcontrol-id="au-9.2"/>
-         <call subcontrol-id="au-9.3"/>
-         <call subcontrol-id="au-9.4"/>
+         <call control-id="au-9.2"/>
+         <call control-id="au-9.3"/>
+         <call control-id="au-9.4"/>
          <call control-id="au-10"/>
          <call control-id="au-11"/>
          <call control-id="au-12"/>
-         <call subcontrol-id="au-12.1"/>
-         <call subcontrol-id="au-12.3"/>
+         <call control-id="au-12.1"/>
+         <call control-id="au-12.3"/>
          <call control-id="ca-1"/>
          <call control-id="ca-2"/>
-         <call subcontrol-id="ca-2.1"/>
-         <call subcontrol-id="ca-2.2"/>
+         <call control-id="ca-2.1"/>
+         <call control-id="ca-2.2"/>
          <call control-id="ca-3"/>
-         <call subcontrol-id="ca-3.5"/>
+         <call control-id="ca-3.5"/>
          <call control-id="ca-5"/>
          <call control-id="ca-6"/>
          <call control-id="ca-7"/>
-         <call subcontrol-id="ca-7.1"/>
+         <call control-id="ca-7.1"/>
          <call control-id="ca-8"/>
          <call control-id="ca-9"/>
          <call control-id="cm-1"/>
          <call control-id="cm-2"/>
-         <call subcontrol-id="cm-2.1"/>
-         <call subcontrol-id="cm-2.2"/>
-         <call subcontrol-id="cm-2.3"/>
-         <call subcontrol-id="cm-2.7"/>
+         <call control-id="cm-2.1"/>
+         <call control-id="cm-2.2"/>
+         <call control-id="cm-2.3"/>
+         <call control-id="cm-2.7"/>
          <call control-id="cm-3"/>
-         <call subcontrol-id="cm-3.1"/>
-         <call subcontrol-id="cm-3.2"/>
+         <call control-id="cm-3.1"/>
+         <call control-id="cm-3.2"/>
          <call control-id="cm-4"/>
-         <call subcontrol-id="cm-4.1"/>
+         <call control-id="cm-4.1"/>
          <call control-id="cm-5"/>
-         <call subcontrol-id="cm-5.1"/>
-         <call subcontrol-id="cm-5.2"/>
-         <call subcontrol-id="cm-5.3"/>
+         <call control-id="cm-5.1"/>
+         <call control-id="cm-5.2"/>
+         <call control-id="cm-5.3"/>
          <call control-id="cm-6"/>
-         <call subcontrol-id="cm-6.1"/>
-         <call subcontrol-id="cm-6.2"/>
+         <call control-id="cm-6.1"/>
+         <call control-id="cm-6.2"/>
          <call control-id="cm-7"/>
-         <call subcontrol-id="cm-7.1"/>
-         <call subcontrol-id="cm-7.2"/>
-         <call subcontrol-id="cm-7.5"/>
+         <call control-id="cm-7.1"/>
+         <call control-id="cm-7.2"/>
+         <call control-id="cm-7.5"/>
          <call control-id="cm-8"/>
-         <call subcontrol-id="cm-8.1"/>
-         <call subcontrol-id="cm-8.2"/>
-         <call subcontrol-id="cm-8.3"/>
-         <call subcontrol-id="cm-8.4"/>
-         <call subcontrol-id="cm-8.5"/>
+         <call control-id="cm-8.1"/>
+         <call control-id="cm-8.2"/>
+         <call control-id="cm-8.3"/>
+         <call control-id="cm-8.4"/>
+         <call control-id="cm-8.5"/>
          <call control-id="cm-9"/>
          <call control-id="cm-10"/>
          <call control-id="cm-11"/>
          <call control-id="cp-1"/>
          <call control-id="cp-2"/>
-         <call subcontrol-id="cp-2.1"/>
-         <call subcontrol-id="cp-2.2"/>
-         <call subcontrol-id="cp-2.3"/>
-         <call subcontrol-id="cp-2.4"/>
-         <call subcontrol-id="cp-2.5"/>
-         <call subcontrol-id="cp-2.8"/>
+         <call control-id="cp-2.1"/>
+         <call control-id="cp-2.2"/>
+         <call control-id="cp-2.3"/>
+         <call control-id="cp-2.4"/>
+         <call control-id="cp-2.5"/>
+         <call control-id="cp-2.8"/>
          <call control-id="cp-3"/>
-         <call subcontrol-id="cp-3.1"/>
+         <call control-id="cp-3.1"/>
          <call control-id="cp-4"/>
-         <call subcontrol-id="cp-4.1"/>
-         <call subcontrol-id="cp-4.2"/>
+         <call control-id="cp-4.1"/>
+         <call control-id="cp-4.2"/>
          <call control-id="cp-6"/>
-         <call subcontrol-id="cp-6.1"/>
-         <call subcontrol-id="cp-6.2"/>
-         <call subcontrol-id="cp-6.3"/>
+         <call control-id="cp-6.1"/>
+         <call control-id="cp-6.2"/>
+         <call control-id="cp-6.3"/>
          <call control-id="cp-7"/>
-         <call subcontrol-id="cp-7.1"/>
-         <call subcontrol-id="cp-7.2"/>
-         <call subcontrol-id="cp-7.3"/>
-         <call subcontrol-id="cp-7.4"/>
+         <call control-id="cp-7.1"/>
+         <call control-id="cp-7.2"/>
+         <call control-id="cp-7.3"/>
+         <call control-id="cp-7.4"/>
          <call control-id="cp-8"/>
-         <call subcontrol-id="cp-8.1"/>
-         <call subcontrol-id="cp-8.2"/>
-         <call subcontrol-id="cp-8.3"/>
-         <call subcontrol-id="cp-8.4"/>
+         <call control-id="cp-8.1"/>
+         <call control-id="cp-8.2"/>
+         <call control-id="cp-8.3"/>
+         <call control-id="cp-8.4"/>
          <call control-id="cp-9"/>
-         <call subcontrol-id="cp-9.1"/>
-         <call subcontrol-id="cp-9.2"/>
-         <call subcontrol-id="cp-9.3"/>
-         <call subcontrol-id="cp-9.5"/>
+         <call control-id="cp-9.1"/>
+         <call control-id="cp-9.2"/>
+         <call control-id="cp-9.3"/>
+         <call control-id="cp-9.5"/>
          <call control-id="cp-10"/>
-         <call subcontrol-id="cp-10.2"/>
-         <call subcontrol-id="cp-10.4"/>
+         <call control-id="cp-10.2"/>
+         <call control-id="cp-10.4"/>
          <call control-id="ia-1"/>
          <call control-id="ia-2"/>
-         <call subcontrol-id="ia-2.1"/>
-         <call subcontrol-id="ia-2.2"/>
-         <call subcontrol-id="ia-2.3"/>
-         <call subcontrol-id="ia-2.4"/>
-         <call subcontrol-id="ia-2.8"/>
-         <call subcontrol-id="ia-2.9"/>
-         <call subcontrol-id="ia-2.11"/>
-         <call subcontrol-id="ia-2.12"/>
+         <call control-id="ia-2.1"/>
+         <call control-id="ia-2.2"/>
+         <call control-id="ia-2.3"/>
+         <call control-id="ia-2.4"/>
+         <call control-id="ia-2.8"/>
+         <call control-id="ia-2.9"/>
+         <call control-id="ia-2.11"/>
+         <call control-id="ia-2.12"/>
          <call control-id="ia-3"/>
          <call control-id="ia-4"/>
          <call control-id="ia-5"/>
-         <call subcontrol-id="ia-5.1"/>
-         <call subcontrol-id="ia-5.2"/>
-         <call subcontrol-id="ia-5.3"/>
-         <call subcontrol-id="ia-5.11"/>
+         <call control-id="ia-5.1"/>
+         <call control-id="ia-5.2"/>
+         <call control-id="ia-5.3"/>
+         <call control-id="ia-5.11"/>
          <call control-id="ia-6"/>
          <call control-id="ia-7"/>
          <call control-id="ia-8"/>
-         <call subcontrol-id="ia-8.1"/>
-         <call subcontrol-id="ia-8.2"/>
-         <call subcontrol-id="ia-8.3"/>
-         <call subcontrol-id="ia-8.4"/>
+         <call control-id="ia-8.1"/>
+         <call control-id="ia-8.2"/>
+         <call control-id="ia-8.3"/>
+         <call control-id="ia-8.4"/>
          <call control-id="ir-1"/>
          <call control-id="ir-2"/>
-         <call subcontrol-id="ir-2.1"/>
-         <call subcontrol-id="ir-2.2"/>
+         <call control-id="ir-2.1"/>
+         <call control-id="ir-2.2"/>
          <call control-id="ir-3"/>
-         <call subcontrol-id="ir-3.2"/>
+         <call control-id="ir-3.2"/>
          <call control-id="ir-4"/>
-         <call subcontrol-id="ir-4.1"/>
-         <call subcontrol-id="ir-4.4"/>
+         <call control-id="ir-4.1"/>
+         <call control-id="ir-4.4"/>
          <call control-id="ir-5"/>
-         <call subcontrol-id="ir-5.1"/>
+         <call control-id="ir-5.1"/>
          <call control-id="ir-6"/>
-         <call subcontrol-id="ir-6.1"/>
+         <call control-id="ir-6.1"/>
          <call control-id="ir-7"/>
-         <call subcontrol-id="ir-7.1"/>
+         <call control-id="ir-7.1"/>
          <call control-id="ir-8"/>
          <call control-id="ma-1"/>
          <call control-id="ma-2"/>
-         <call subcontrol-id="ma-2.2"/>
+         <call control-id="ma-2.2"/>
          <call control-id="ma-3"/>
-         <call subcontrol-id="ma-3.1"/>
-         <call subcontrol-id="ma-3.2"/>
-         <call subcontrol-id="ma-3.3"/>
+         <call control-id="ma-3.1"/>
+         <call control-id="ma-3.2"/>
+         <call control-id="ma-3.3"/>
          <call control-id="ma-4"/>
-         <call subcontrol-id="ma-4.2"/>
-         <call subcontrol-id="ma-4.3"/>
+         <call control-id="ma-4.2"/>
+         <call control-id="ma-4.3"/>
          <call control-id="ma-5"/>
-         <call subcontrol-id="ma-5.1"/>
+         <call control-id="ma-5.1"/>
          <call control-id="ma-6"/>
          <call control-id="mp-1"/>
          <call control-id="mp-2"/>
          <call control-id="mp-3"/>
          <call control-id="mp-4"/>
          <call control-id="mp-5"/>
-         <call subcontrol-id="mp-5.4"/>
+         <call control-id="mp-5.4"/>
          <call control-id="mp-6"/>
-         <call subcontrol-id="mp-6.1"/>
-         <call subcontrol-id="mp-6.2"/>
-         <call subcontrol-id="mp-6.3"/>
+         <call control-id="mp-6.1"/>
+         <call control-id="mp-6.2"/>
+         <call control-id="mp-6.3"/>
          <call control-id="mp-7"/>
-         <call subcontrol-id="mp-7.1"/>
+         <call control-id="mp-7.1"/>
          <call control-id="pe-1"/>
          <call control-id="pe-2"/>
          <call control-id="pe-3"/>
-         <call subcontrol-id="pe-3.1"/>
+         <call control-id="pe-3.1"/>
          <call control-id="pe-4"/>
          <call control-id="pe-5"/>
          <call control-id="pe-6"/>
-         <call subcontrol-id="pe-6.1"/>
-         <call subcontrol-id="pe-6.4"/>
+         <call control-id="pe-6.1"/>
+         <call control-id="pe-6.4"/>
          <call control-id="pe-8"/>
-         <call subcontrol-id="pe-8.1"/>
+         <call control-id="pe-8.1"/>
          <call control-id="pe-9"/>
          <call control-id="pe-10"/>
          <call control-id="pe-11"/>
-         <call subcontrol-id="pe-11.1"/>
+         <call control-id="pe-11.1"/>
          <call control-id="pe-12"/>
          <call control-id="pe-13"/>
-         <call subcontrol-id="pe-13.1"/>
-         <call subcontrol-id="pe-13.2"/>
-         <call subcontrol-id="pe-13.3"/>
+         <call control-id="pe-13.1"/>
+         <call control-id="pe-13.2"/>
+         <call control-id="pe-13.3"/>
          <call control-id="pe-14"/>
          <call control-id="pe-15"/>
-         <call subcontrol-id="pe-15.1"/>
+         <call control-id="pe-15.1"/>
          <call control-id="pe-16"/>
          <call control-id="pe-17"/>
          <call control-id="pe-18"/>
          <call control-id="pl-1"/>
          <call control-id="pl-2"/>
-         <call subcontrol-id="pl-2.3"/>
+         <call control-id="pl-2.3"/>
          <call control-id="pl-4"/>
-         <call subcontrol-id="pl-4.1"/>
+         <call control-id="pl-4.1"/>
          <call control-id="pl-8"/>
          <call control-id="ps-1"/>
          <call control-id="ps-2"/>
          <call control-id="ps-3"/>
          <call control-id="ps-4"/>
-         <call subcontrol-id="ps-4.2"/>
+         <call control-id="ps-4.2"/>
          <call control-id="ps-5"/>
          <call control-id="ps-6"/>
          <call control-id="ps-7"/>
@@ -295,22 +295,22 @@
          <call control-id="ra-2"/>
          <call control-id="ra-3"/>
          <call control-id="ra-5"/>
-         <call subcontrol-id="ra-5.1"/>
-         <call subcontrol-id="ra-5.2"/>
-         <call subcontrol-id="ra-5.4"/>
-         <call subcontrol-id="ra-5.5"/>
+         <call control-id="ra-5.1"/>
+         <call control-id="ra-5.2"/>
+         <call control-id="ra-5.4"/>
+         <call control-id="ra-5.5"/>
          <call control-id="sa-1"/>
          <call control-id="sa-2"/>
          <call control-id="sa-3"/>
          <call control-id="sa-4"/>
-         <call subcontrol-id="sa-4.1"/>
-         <call subcontrol-id="sa-4.2"/>
-         <call subcontrol-id="sa-4.9"/>
-         <call subcontrol-id="sa-4.10"/>
+         <call control-id="sa-4.1"/>
+         <call control-id="sa-4.2"/>
+         <call control-id="sa-4.9"/>
+         <call control-id="sa-4.10"/>
          <call control-id="sa-5"/>
          <call control-id="sa-8"/>
          <call control-id="sa-9"/>
-         <call subcontrol-id="sa-9.2"/>
+         <call control-id="sa-9.2"/>
          <call control-id="sa-10"/>
          <call control-id="sa-11"/>
          <call control-id="sa-12"/>
@@ -323,18 +323,18 @@
          <call control-id="sc-4"/>
          <call control-id="sc-5"/>
          <call control-id="sc-7"/>
-         <call subcontrol-id="sc-7.3"/>
-         <call subcontrol-id="sc-7.4"/>
-         <call subcontrol-id="sc-7.5"/>
-         <call subcontrol-id="sc-7.7"/>
-         <call subcontrol-id="sc-7.8"/>
-         <call subcontrol-id="sc-7.18"/>
-         <call subcontrol-id="sc-7.21"/>
+         <call control-id="sc-7.3"/>
+         <call control-id="sc-7.4"/>
+         <call control-id="sc-7.5"/>
+         <call control-id="sc-7.7"/>
+         <call control-id="sc-7.8"/>
+         <call control-id="sc-7.18"/>
+         <call control-id="sc-7.21"/>
          <call control-id="sc-8"/>
-         <call subcontrol-id="sc-8.1"/>
+         <call control-id="sc-8.1"/>
          <call control-id="sc-10"/>
          <call control-id="sc-12"/>
-         <call subcontrol-id="sc-12.1"/>
+         <call control-id="sc-12.1"/>
          <call control-id="sc-13"/>
          <call control-id="sc-15"/>
          <call control-id="sc-17"/>
@@ -349,27 +349,27 @@
          <call control-id="sc-39"/>
          <call control-id="si-1"/>
          <call control-id="si-2"/>
-         <call subcontrol-id="si-2.1"/>
-         <call subcontrol-id="si-2.2"/>
+         <call control-id="si-2.1"/>
+         <call control-id="si-2.2"/>
          <call control-id="si-3"/>
-         <call subcontrol-id="si-3.1"/>
-         <call subcontrol-id="si-3.2"/>
+         <call control-id="si-3.1"/>
+         <call control-id="si-3.2"/>
          <call control-id="si-4"/>
-         <call subcontrol-id="si-4.2"/>
-         <call subcontrol-id="si-4.4"/>
-         <call subcontrol-id="si-4.5"/>
+         <call control-id="si-4.2"/>
+         <call control-id="si-4.4"/>
+         <call control-id="si-4.5"/>
          <call control-id="si-5"/>
-         <call subcontrol-id="si-5.1"/>
+         <call control-id="si-5.1"/>
          <call control-id="si-6"/>
          <call control-id="si-7"/>
-         <call subcontrol-id="si-7.1"/>
-         <call subcontrol-id="si-7.2"/>
-         <call subcontrol-id="si-7.5"/>
-         <call subcontrol-id="si-7.7"/>
-         <call subcontrol-id="si-7.14"/>
+         <call control-id="si-7.1"/>
+         <call control-id="si-7.2"/>
+         <call control-id="si-7.5"/>
+         <call control-id="si-7.7"/>
+         <call control-id="si-7.14"/>
          <call control-id="si-8"/>
-         <call subcontrol-id="si-8.1"/>
-         <call subcontrol-id="si-8.2"/>
+         <call control-id="si-8.1"/>
+         <call control-id="si-8.2"/>
          <call control-id="si-10"/>
          <call control-id="si-11"/>
          <call control-id="si-12"/>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
index 028a5b9aed..41e8763164 100644
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
+++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
@@ -79,19 +79,19 @@
          <call control-id="cp-10"/>
          <call control-id="ia-1"/>
          <call control-id="ia-2"/>
-         <call subcontrol-id="ia-2.1"/>
-         <call subcontrol-id="ia-2.12"/>
+         <call control-id="ia-2.1"/>
+         <call control-id="ia-2.12"/>
          <call control-id="ia-4"/>
          <call control-id="ia-5"/>
-         <call subcontrol-id="ia-5.1"/>
-         <call subcontrol-id="ia-5.11"/>
+         <call control-id="ia-5.1"/>
+         <call control-id="ia-5.11"/>
          <call control-id="ia-6"/>
          <call control-id="ia-7"/>
          <call control-id="ia-8"/>
-         <call subcontrol-id="ia-8.1"/>
-         <call subcontrol-id="ia-8.2"/>
-         <call subcontrol-id="ia-8.3"/>
-         <call subcontrol-id="ia-8.4"/>
+         <call control-id="ia-8.1"/>
+         <call control-id="ia-8.2"/>
+         <call control-id="ia-8.3"/>
+         <call control-id="ia-8.4"/>
          <call control-id="ir-1"/>
          <call control-id="ir-2"/>
          <call control-id="ir-4"/>
@@ -136,7 +136,7 @@
          <call control-id="sa-2"/>
          <call control-id="sa-3"/>
          <call control-id="sa-4"/>
-         <call subcontrol-id="sa-4.10"/>
+         <call control-id="sa-4.10"/>
          <call control-id="sa-5"/>
          <call control-id="sa-9"/>
          <call control-id="sc-1"/>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
index e9143a3f59..4f29fa8759 100644
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
+++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
@@ -34,156 +34,156 @@
       <include>
          <call control-id="ac-1"/>
          <call control-id="ac-2"/>
-         <call subcontrol-id="ac-2.1"/>
-         <call subcontrol-id="ac-2.2"/>
-         <call subcontrol-id="ac-2.3"/>
-         <call subcontrol-id="ac-2.4"/>
+         <call control-id="ac-2.1"/>
+         <call control-id="ac-2.2"/>
+         <call control-id="ac-2.3"/>
+         <call control-id="ac-2.4"/>
          <call control-id="ac-3"/>
          <call control-id="ac-4"/>
          <call control-id="ac-5"/>
          <call control-id="ac-6"/>
-         <call subcontrol-id="ac-6.1"/>
-         <call subcontrol-id="ac-6.2"/>
-         <call subcontrol-id="ac-6.5"/>
-         <call subcontrol-id="ac-6.9"/>
-         <call subcontrol-id="ac-6.10"/>
+         <call control-id="ac-6.1"/>
+         <call control-id="ac-6.2"/>
+         <call control-id="ac-6.5"/>
+         <call control-id="ac-6.9"/>
+         <call control-id="ac-6.10"/>
          <call control-id="ac-7"/>
          <call control-id="ac-8"/>
          <call control-id="ac-11"/>
-         <call subcontrol-id="ac-11.1"/>
+         <call control-id="ac-11.1"/>
          <call control-id="ac-12"/>
          <call control-id="ac-14"/>
          <call control-id="ac-17"/>
-         <call subcontrol-id="ac-17.1"/>
-         <call subcontrol-id="ac-17.2"/>
-         <call subcontrol-id="ac-17.3"/>
-         <call subcontrol-id="ac-17.4"/>
+         <call control-id="ac-17.1"/>
+         <call control-id="ac-17.2"/>
+         <call control-id="ac-17.3"/>
+         <call control-id="ac-17.4"/>
          <call control-id="ac-18"/>
-         <call subcontrol-id="ac-18.1"/>
+         <call control-id="ac-18.1"/>
          <call control-id="ac-19"/>
-         <call subcontrol-id="ac-19.5"/>
+         <call control-id="ac-19.5"/>
          <call control-id="ac-20"/>
-         <call subcontrol-id="ac-20.1"/>
-         <call subcontrol-id="ac-20.2"/>
+         <call control-id="ac-20.1"/>
+         <call control-id="ac-20.2"/>
          <call control-id="ac-21"/>
          <call control-id="ac-22"/>
          <call control-id="at-1"/>
          <call control-id="at-2"/>
-         <call subcontrol-id="at-2.2"/>
+         <call control-id="at-2.2"/>
          <call control-id="at-3"/>
          <call control-id="at-4"/>
          <call control-id="au-1"/>
          <call control-id="au-2"/>
-         <call subcontrol-id="au-2.3"/>
+         <call control-id="au-2.3"/>
          <call control-id="au-3"/>
-         <call subcontrol-id="au-3.1"/>
+         <call control-id="au-3.1"/>
          <call control-id="au-4"/>
          <call control-id="au-5"/>
          <call control-id="au-6"/>
-         <call subcontrol-id="au-6.1"/>
-         <call subcontrol-id="au-6.3"/>
+         <call control-id="au-6.1"/>
+         <call control-id="au-6.3"/>
          <call control-id="au-7"/>
-         <call subcontrol-id="au-7.1"/>
+         <call control-id="au-7.1"/>
          <call control-id="au-8"/>
-         <call subcontrol-id="au-8.1"/>
+         <call control-id="au-8.1"/>
          <call control-id="au-9"/>
-         <call subcontrol-id="au-9.4"/>
+         <call control-id="au-9.4"/>
          <call control-id="au-11"/>
          <call control-id="au-12"/>
          <call control-id="ca-1"/>
          <call control-id="ca-2"/>
-         <call subcontrol-id="ca-2.1"/>
+         <call control-id="ca-2.1"/>
          <call control-id="ca-3"/>
-         <call subcontrol-id="ca-3.5"/>
+         <call control-id="ca-3.5"/>
          <call control-id="ca-5"/>
          <call control-id="ca-6"/>
          <call control-id="ca-7"/>
-         <call subcontrol-id="ca-7.1"/>
+         <call control-id="ca-7.1"/>
          <call control-id="ca-9"/>
          <call control-id="cm-1"/>
          <call control-id="cm-2"/>
-         <call subcontrol-id="cm-2.1"/>
-         <call subcontrol-id="cm-2.3"/>
-         <call subcontrol-id="cm-2.7"/>
+         <call control-id="cm-2.1"/>
+         <call control-id="cm-2.3"/>
+         <call control-id="cm-2.7"/>
          <call control-id="cm-3"/>
-         <call subcontrol-id="cm-3.2"/>
+         <call control-id="cm-3.2"/>
          <call control-id="cm-4"/>
          <call control-id="cm-5"/>
          <call control-id="cm-6"/>
          <call control-id="cm-7"/>
-         <call subcontrol-id="cm-7.1"/>
-         <call subcontrol-id="cm-7.2"/>
-         <call subcontrol-id="cm-7.4"/>
+         <call control-id="cm-7.1"/>
+         <call control-id="cm-7.2"/>
+         <call control-id="cm-7.4"/>
          <call control-id="cm-8"/>
-         <call subcontrol-id="cm-8.1"/>
-         <call subcontrol-id="cm-8.3"/>
-         <call subcontrol-id="cm-8.5"/>
+         <call control-id="cm-8.1"/>
+         <call control-id="cm-8.3"/>
+         <call control-id="cm-8.5"/>
          <call control-id="cm-9"/>
          <call control-id="cm-10"/>
          <call control-id="cm-11"/>
          <call control-id="cp-1"/>
          <call control-id="cp-2"/>
-         <call subcontrol-id="cp-2.1"/>
-         <call subcontrol-id="cp-2.3"/>
-         <call subcontrol-id="cp-2.8"/>
+         <call control-id="cp-2.1"/>
+         <call control-id="cp-2.3"/>
+         <call control-id="cp-2.8"/>
          <call control-id="cp-3"/>
          <call control-id="cp-4"/>
-         <call subcontrol-id="cp-4.1"/>
+         <call control-id="cp-4.1"/>
          <call control-id="cp-6"/>
-         <call subcontrol-id="cp-6.1"/>
-         <call subcontrol-id="cp-6.3"/>
+         <call control-id="cp-6.1"/>
+         <call control-id="cp-6.3"/>
          <call control-id="cp-7"/>
-         <call subcontrol-id="cp-7.1"/>
-         <call subcontrol-id="cp-7.2"/>
-         <call subcontrol-id="cp-7.3"/>
+         <call control-id="cp-7.1"/>
+         <call control-id="cp-7.2"/>
+         <call control-id="cp-7.3"/>
          <call control-id="cp-8"/>
-         <call subcontrol-id="cp-8.1"/>
-         <call subcontrol-id="cp-8.2"/>
+         <call control-id="cp-8.1"/>
+         <call control-id="cp-8.2"/>
          <call control-id="cp-9"/>
-         <call subcontrol-id="cp-9.1"/>
+         <call control-id="cp-9.1"/>
          <call control-id="cp-10"/>
-         <call subcontrol-id="cp-10.2"/>
+         <call control-id="cp-10.2"/>
          <call control-id="ia-1"/>
          <call control-id="ia-2"/>
-         <call subcontrol-id="ia-2.1"/>
-         <call subcontrol-id="ia-2.2"/>
-         <call subcontrol-id="ia-2.3"/>
-         <call subcontrol-id="ia-2.8"/>
-         <call subcontrol-id="ia-2.11"/>
-         <call subcontrol-id="ia-2.12"/>
+         <call control-id="ia-2.1"/>
+         <call control-id="ia-2.2"/>
+         <call control-id="ia-2.3"/>
+         <call control-id="ia-2.8"/>
+         <call control-id="ia-2.11"/>
+         <call control-id="ia-2.12"/>
          <call control-id="ia-3"/>
          <call control-id="ia-4"/>
          <call control-id="ia-5"/>
-         <call subcontrol-id="ia-5.1"/>
-         <call subcontrol-id="ia-5.2"/>
-         <call subcontrol-id="ia-5.3"/>
-         <call subcontrol-id="ia-5.11"/>
+         <call control-id="ia-5.1"/>
+         <call control-id="ia-5.2"/>
+         <call control-id="ia-5.3"/>
+         <call control-id="ia-5.11"/>
          <call control-id="ia-6"/>
          <call control-id="ia-7"/>
          <call control-id="ia-8"/>
-         <call subcontrol-id="ia-8.1"/>
-         <call subcontrol-id="ia-8.2"/>
-         <call subcontrol-id="ia-8.3"/>
-         <call subcontrol-id="ia-8.4"/>
+         <call control-id="ia-8.1"/>
+         <call control-id="ia-8.2"/>
+         <call control-id="ia-8.3"/>
+         <call control-id="ia-8.4"/>
          <call control-id="ir-1"/>
          <call control-id="ir-2"/>
          <call control-id="ir-3"/>
-         <call subcontrol-id="ir-3.2"/>
+         <call control-id="ir-3.2"/>
          <call control-id="ir-4"/>
-         <call subcontrol-id="ir-4.1"/>
+         <call control-id="ir-4.1"/>
          <call control-id="ir-5"/>
          <call control-id="ir-6"/>
-         <call subcontrol-id="ir-6.1"/>
+         <call control-id="ir-6.1"/>
          <call control-id="ir-7"/>
-         <call subcontrol-id="ir-7.1"/>
+         <call control-id="ir-7.1"/>
          <call control-id="ir-8"/>
          <call control-id="ma-1"/>
          <call control-id="ma-2"/>
          <call control-id="ma-3"/>
-         <call subcontrol-id="ma-3.1"/>
-         <call subcontrol-id="ma-3.2"/>
+         <call control-id="ma-3.1"/>
+         <call control-id="ma-3.2"/>
          <call control-id="ma-4"/>
-         <call subcontrol-id="ma-4.2"/>
+         <call control-id="ma-4.2"/>
          <call control-id="ma-5"/>
          <call control-id="ma-6"/>
          <call control-id="mp-1"/>
@@ -191,33 +191,33 @@
          <call control-id="mp-3"/>
          <call control-id="mp-4"/>
          <call control-id="mp-5"/>
-         <call subcontrol-id="mp-5.4"/>
+         <call control-id="mp-5.4"/>
          <call control-id="mp-6"/>
          <call control-id="mp-7"/>
-         <call subcontrol-id="mp-7.1"/>
+         <call control-id="mp-7.1"/>
          <call control-id="pe-1"/>
          <call control-id="pe-2"/>
          <call control-id="pe-3"/>
          <call control-id="pe-4"/>
          <call control-id="pe-5"/>
          <call control-id="pe-6"/>
-         <call subcontrol-id="pe-6.1"/>
+         <call control-id="pe-6.1"/>
          <call control-id="pe-8"/>
          <call control-id="pe-9"/>
          <call control-id="pe-10"/>
          <call control-id="pe-11"/>
          <call control-id="pe-12"/>
          <call control-id="pe-13"/>
-         <call subcontrol-id="pe-13.3"/>
+         <call control-id="pe-13.3"/>
          <call control-id="pe-14"/>
          <call control-id="pe-15"/>
          <call control-id="pe-16"/>
          <call control-id="pe-17"/>
          <call control-id="pl-1"/>
          <call control-id="pl-2"/>
-         <call subcontrol-id="pl-2.3"/>
+         <call control-id="pl-2.3"/>
          <call control-id="pl-4"/>
-         <call subcontrol-id="pl-4.1"/>
+         <call control-id="pl-4.1"/>
          <call control-id="pl-8"/>
          <call control-id="ps-1"/>
          <call control-id="ps-2"/>
@@ -231,21 +231,21 @@
          <call control-id="ra-2"/>
          <call control-id="ra-3"/>
          <call control-id="ra-5"/>
-         <call subcontrol-id="ra-5.1"/>
-         <call subcontrol-id="ra-5.2"/>
-         <call subcontrol-id="ra-5.5"/>
+         <call control-id="ra-5.1"/>
+         <call control-id="ra-5.2"/>
+         <call control-id="ra-5.5"/>
          <call control-id="sa-1"/>
          <call control-id="sa-2"/>
          <call control-id="sa-3"/>
          <call control-id="sa-4"/>
-         <call subcontrol-id="sa-4.1"/>
-         <call subcontrol-id="sa-4.2"/>
-         <call subcontrol-id="sa-4.9"/>
-         <call subcontrol-id="sa-4.10"/>
+         <call control-id="sa-4.1"/>
+         <call control-id="sa-4.2"/>
+         <call control-id="sa-4.9"/>
+         <call control-id="sa-4.10"/>
          <call control-id="sa-5"/>
          <call control-id="sa-8"/>
          <call control-id="sa-9"/>
-         <call subcontrol-id="sa-9.2"/>
+         <call control-id="sa-9.2"/>
          <call control-id="sa-10"/>
          <call control-id="sa-11"/>
          <call control-id="sc-1"/>
@@ -253,12 +253,12 @@
          <call control-id="sc-4"/>
          <call control-id="sc-5"/>
          <call control-id="sc-7"/>
-         <call subcontrol-id="sc-7.3"/>
-         <call subcontrol-id="sc-7.4"/>
-         <call subcontrol-id="sc-7.5"/>
-         <call subcontrol-id="sc-7.7"/>
+         <call control-id="sc-7.3"/>
+         <call control-id="sc-7.4"/>
+         <call control-id="sc-7.5"/>
+         <call control-id="sc-7.7"/>
          <call control-id="sc-8"/>
-         <call subcontrol-id="sc-8.1"/>
+         <call control-id="sc-8.1"/>
          <call control-id="sc-10"/>
          <call control-id="sc-12"/>
          <call control-id="sc-13"/>
@@ -274,21 +274,21 @@
          <call control-id="sc-39"/>
          <call control-id="si-1"/>
          <call control-id="si-2"/>
-         <call subcontrol-id="si-2.2"/>
+         <call control-id="si-2.2"/>
          <call control-id="si-3"/>
-         <call subcontrol-id="si-3.1"/>
-         <call subcontrol-id="si-3.2"/>
+         <call control-id="si-3.1"/>
+         <call control-id="si-3.2"/>
          <call control-id="si-4"/>
-         <call subcontrol-id="si-4.2"/>
-         <call subcontrol-id="si-4.4"/>
-         <call subcontrol-id="si-4.5"/>
+         <call control-id="si-4.2"/>
+         <call control-id="si-4.4"/>
+         <call control-id="si-4.5"/>
          <call control-id="si-5"/>
          <call control-id="si-7"/>
-         <call subcontrol-id="si-7.1"/>
-         <call subcontrol-id="si-7.7"/>
+         <call control-id="si-7.1"/>
+         <call control-id="si-7.7"/>
          <call control-id="si-8"/>
-         <call subcontrol-id="si-8.1"/>
-         <call subcontrol-id="si-8.2"/>
+         <call control-id="si-8.1"/>
+         <call control-id="si-8.2"/>
          <call control-id="si-10"/>
          <call control-id="si-11"/>
          <call control-id="si-12"/>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
index 8886c2b410..7b6db83db8 100644
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
+++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- XML produced by extraction/mapping from NVD XML 2018-11-02T16:55:46.916-04:00 -->
-<!-- Subsequently updated by hand (2018-12-10, 2019-05-16, 2019-05-29, 2019-08-17) -->
+<!-- Subsequently updated by hand (2018-12-10, 2019-05-16, 2019-05-29, 2019-08-17, 2019-08-23) -->
 <!-- Valid against the OSCAL catalog schema (project path /xml/schema/oscal-catalog-schema.xsd) -->
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-   id="uuid-f3de8b2b-dc8e-4b17-9653-e83b708a6663">
+   id="uuid-164e503d-1a64-4373-8926-7c51b8ba2913">
    <metadata>
       <title>NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations</title>
       
@@ -486,7 +486,7 @@
                <p>automated mechanisms for implementing account management</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.1">
+         <control class="SP800-53-enhancement" id="ac-2.1">
             <title>Automated System Account Management</title>
             <prop name="label">AC-2(1)</prop>
             <part id="ac-2.1_smt" name="statement">
@@ -524,8 +524,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.2">
             <title>Removal of Temporary / Emergency Accounts</title>
             <param id="ac-2.2_prm_1">
                <select>
@@ -583,8 +583,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.3">
             <title>Disable Inactive Accounts</title>
             <param id="ac-2.3_prm_1">
                <label>organization-defined time period</label>
@@ -633,8 +633,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.4">
             <title>Automated Audit Actions</title>
             <param id="ac-2.4_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -748,8 +748,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.5">
             <title>Inactivity Logout</title>
             <param id="ac-2.5_prm_1">
                <label>organization-defined time-period of expected inactivity or description of when to log out</label>
@@ -794,8 +794,8 @@
                   <p>users that must comply with inactivity logout policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.6">
             <title>Dynamic Privilege Management</title>
             <param id="ac-2.6_prm_1">
                <label>organization-defined list of dynamic privilege management capabilities</label>
@@ -846,8 +846,8 @@
                   <p>Information system implementing dynamic privilege management capabilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.7">
             <title>Role-based Schemes</title>
             <param id="ac-2.7_prm_1">
                <label>organization-defined actions</label>
@@ -926,8 +926,8 @@
                   <p>automated mechanisms monitoring privileged role assignments</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.8">
             <title>Dynamic Account Creation</title>
             <param id="ac-2.8_prm_1">
                <label>organization-defined information system accounts</label>
@@ -978,8 +978,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.9">
             <title>Restrictions On Use of Shared / Group Accounts</title>
             <param id="ac-2.9_prm_1">
                <label>organization-defined conditions for establishing shared/group accounts</label>
@@ -1025,8 +1025,8 @@
                   <p>Automated mechanisms implementing management of shared/group accounts</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.10">
             <title>Shared / Group Account Credential Termination</title>
             <prop name="label">AC-2(10)</prop>
             <part id="ac-2.10_smt" name="statement">
@@ -1062,8 +1062,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.11">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.11">
             <title>Usage Conditions</title>
             <param id="ac-2.11_prm_1">
                <label>organization-defined circumstances and/or usage conditions</label>
@@ -1120,8 +1120,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.12">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.12">
             <title>Account Monitoring / Atypical Usage</title>
             <param id="ac-2.12_prm_1">
                <label>organization-defined atypical usage</label>
@@ -1199,8 +1199,8 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-2.13">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-2.13">
             <title>Disable Accounts for High-risk Individuals</title>
             <param id="ac-2.13_prm_1">
                <label>organization-defined time period</label>
@@ -1251,7 +1251,7 @@
                   <p>Automated mechanisms implementing account management functions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-3">
          <title>Access Enforcement</title>
@@ -1311,13 +1311,13 @@
                <p>Automated mechanisms implementing access control policy</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.1">
+         <control class="SP800-53-enhancement" id="ac-3.1">
             <title>Restricted Access to Privileged Functions</title>
             <prop name="label">AC-3(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-6">AC-6</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.2">
             <title>Dual Authorization</title>
             <param id="ac-3.2_prm_1">
                <label>organization-defined privileged commands and/or other organization-defined actions</label>
@@ -1371,8 +1371,8 @@
                   <p>Dual authorization mechanisms implementing access control policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.3">
             <title>Mandatory Access Control</title>
             <param id="ac-3.3_prm_1">
                <label>organization-defined mandatory access control policy</label>
@@ -1536,8 +1536,8 @@
                   <p>Automated mechanisms implementing mandatory access control</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.4">
             <title>Discretionary Access Control</title>
             <param id="ac-3.4_prm_1">
                <label>organization-defined discretionary access control policy</label>
@@ -1650,8 +1650,8 @@
                   <p>Automated mechanisms implementing discretionary access control policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.5">
             <title>Security-relevant Information</title>
             <param id="ac-3.5_prm_1">
                <label>organization-defined security-relevant information</label>
@@ -1702,15 +1702,15 @@
                   <p>Automated mechanisms preventing access to security-relevant information within the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.6">
             <title>Protection of User and System Information</title>
             <prop name="label">AC-3(6)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-4">MP-4</link>
             <link rel="incorporated-into" href="#sc-28">SC-28</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.7">
             <title>Role-based Access Control</title>
             <param id="ac-3.7_prm_1">
                <label>organization-defined roles and users authorized to assume such roles</label>
@@ -1777,8 +1777,8 @@
                   <p>Automated mechanisms implementing role-based access control policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.8">
             <title>Revocation of Access Authorizations</title>
             <param id="ac-3.8_prm_1">
                <label>organization-defined rules governing the timing of revocations of access authorizations</label>
@@ -1827,8 +1827,8 @@
                   <p>Automated mechanisms implementing access enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.9">
             <title>Controlled Release</title>
             <param id="ac-3.9_prm_1">
                <label>organization-defined information system or system component</label>
@@ -1911,8 +1911,8 @@
                   <p>Automated mechanisms implementing access enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-3.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-3.10">
             <title>Audited Override of Access Control Mechanisms</title>
             <param id="ac-3.10_prm_1">
                <label>organization-defined conditions</label>
@@ -1962,7 +1962,7 @@
                   <p>Automated mechanisms implementing access enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-4">
          <title>Information Flow Enforcement</title>
@@ -2026,7 +2026,7 @@
                <p>Automated mechanisms implementing information flow enforcement policy</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.1">
+         <control class="SP800-53-enhancement" id="ac-4.1">
             <title>Object Security Attributes</title>
             <param id="ac-4.1_prm_1">
                <label>organization-defined security attributes</label>
@@ -2103,8 +2103,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.2">
             <title>Processing Domains</title>
             <param id="ac-4.2_prm_1">
                <label>organization-defined information flow control policies</label>
@@ -2153,8 +2153,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.3">
             <title>Dynamic Information Flow Control</title>
             <param id="ac-4.3_prm_1">
                <label>organization-defined policies</label>
@@ -2205,8 +2205,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.4">
             <title>Content Check Encrypted Information</title>
             <param id="ac-4.4_prm_1">
                <select how-many="one or more">
@@ -2279,8 +2279,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.5">
             <title>Embedded Data Types</title>
             <param id="ac-4.5_prm_1">
                <label>organization-defined limitations</label>
@@ -2329,8 +2329,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.6">
             <title>Metadata</title>
             <param id="ac-4.6_prm_1">
                <label>organization-defined metadata</label>
@@ -2382,8 +2382,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.7">
             <title>One-way Flow Mechanisms</title>
             <param id="ac-4.7_prm_1">
                <label>organization-defined one-way information flows</label>
@@ -2430,8 +2430,8 @@
                   <p>Hardware mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.8">
             <title>Security Policy Filters</title>
             <param id="ac-4.8_prm_1">
                <label>organization-defined security policy filters</label>
@@ -2488,8 +2488,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.9">
             <title>Human Reviews</title>
             <param id="ac-4.9_prm_1">
                <label>organization-defined information flows</label>
@@ -2548,8 +2548,8 @@
                   <p>Automated mechanisms enforcing the use of human reviews</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.10">
             <title>Enable / Disable Security Policy Filters</title>
             <param id="ac-4.10_prm_1">
                <label>organization-defined security policy filters</label>
@@ -2607,8 +2607,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.11">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.11">
             <title>Configuration of Security Policy Filters</title>
             <param id="ac-4.11_prm_1">
                <label>organization-defined security policy filters</label>
@@ -2659,8 +2659,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.12">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.12">
             <title>Data Type Identifiers</title>
             <param id="ac-4.12_prm_1">
                <label>organization-defined data type identifiers</label>
@@ -2710,8 +2710,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.13">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.13">
             <title>Decomposition into Policy-relevant Subcomponents</title>
             <param id="ac-4.13_prm_1">
                <label>organization-defined policy-relevant subcomponents</label>
@@ -2760,8 +2760,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.14">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.14">
             <title>Security Policy Filter Constraints</title>
             <param id="ac-4.14_prm_1">
                <label>organization-defined security policy filters</label>
@@ -2812,8 +2812,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.15">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.15">
             <title>Detection of Unsanctioned Information</title>
             <param id="ac-4.15_prm_1">
                <label>organized-defined unsanctioned information</label>
@@ -2870,14 +2870,14 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.16">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.16">
             <title>Information Transfers On Interconnected Systems</title>
             <prop name="label">AC-4(16)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-4">AC-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.17">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.17">
             <title>Domain Authentication</title>
             <param id="ac-4.17_prm_1">
                <select how-many="one or more">
@@ -2956,8 +2956,8 @@
                   <p>Automated mechanisms implementing information flow enforcement policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.18">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.18">
             <title>Security Attribute Binding</title>
             <param id="ac-4.18_prm_1">
                <label>organization-defined binding techniques</label>
@@ -3010,8 +3010,8 @@
                   <p>Automated mechanisms implementing information flow enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.19">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.19">
             <title>Validation of Metadata</title>
             <prop name="label">AC-4(19)</prop>
             <part id="ac-4.19_smt" name="statement">
@@ -3051,8 +3051,8 @@
                   <p>Automated mechanisms implementing information flow enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.20">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.20">
             <title>Approved Solutions</title>
             <param id="ac-4.20_prm_1">
                <label>organization-defined solutions in approved configurations</label>
@@ -3110,8 +3110,8 @@
                   <p>Automated mechanisms implementing information flow enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.21">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.21">
             <title>Physical / Logical Separation of Information Flows</title>
             <param id="ac-4.21_prm_1">
                <label>organization-defined mechanisms and/or techniques</label>
@@ -3170,8 +3170,8 @@
                   <p>Automated mechanisms implementing information flow enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-4.22">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-4.22">
             <title>Access Only</title>
             <prop name="label">AC-4(22)</prop>
             <part id="ac-4.22_smt" name="statement">
@@ -3208,7 +3208,7 @@
                   <p>Automated mechanisms implementing information flow enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-5">
          <title>Separation of Duties</title>
@@ -3331,7 +3331,7 @@
                <p>Automated mechanisms implementing least privilege functions</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.1">
+         <control class="SP800-53-enhancement" id="ac-6.1">
             <title>Authorize Access to Security Functions</title>
             <param id="ac-6.1_prm_1">
                <label>organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information</label>
@@ -3406,8 +3406,8 @@
                   <p>Automated mechanisms implementing least privilege functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.2">
             <title>Non-privileged Access for Nonsecurity Functions</title>
             <param id="ac-6.2_prm_1">
                <label>organization-defined security functions or security-relevant information</label>
@@ -3456,8 +3456,8 @@
                   <p>Automated mechanisms implementing least privilege functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.3">
             <title>Network Access to Privileged Commands</title>
             <param id="ac-6.3_prm_1">
                <label>organization-defined privileged commands</label>
@@ -3517,8 +3517,8 @@
                   <p>Automated mechanisms implementing least privilege functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.4">
             <title>Separate Processing Domains</title>
             <prop name="label">AC-6(4)</prop>
             <part id="ac-6.4_smt" name="statement">
@@ -3559,8 +3559,8 @@
                   <p>Automated mechanisms implementing least privilege functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.5">
             <title>Privileged Accounts</title>
             <param id="ac-6.5_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -3610,8 +3610,8 @@
                   <p>Automated mechanisms implementing least privilege functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.6">
             <title>Privileged Access by Non-organizational Users</title>
             <prop name="label">AC-6(6)</prop>
             <part id="ac-6.6_smt" name="statement">
@@ -3649,8 +3649,8 @@
                   <p>Automated mechanisms prohibiting privileged access to the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.7">
             <title>Review of User Privileges</title>
             <param id="ac-6.7_prm_1">
                <label>organization-defined frequency</label>
@@ -3726,8 +3726,8 @@
                   <p>Automated mechanisms implementing review of user privileges</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.8">
             <title>Privilege Levels for Code Execution</title>
             <param id="ac-6.8_prm_1">
                <label>organization-defined software</label>
@@ -3777,8 +3777,8 @@
                   <p>Automated mechanisms implementing least privilege functions for software execution</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.9">
             <title>Auditing Use of Privileged Functions</title>
             <prop name="label">AC-6(9)</prop>
             <part id="ac-6.9_smt" name="statement">
@@ -3819,8 +3819,8 @@
                   <p>Automated mechanisms auditing the execution of least privilege functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-6.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-6.10">
             <title>Prohibit Non-privileged Users from Executing Privileged Functions</title>
             <prop name="label">AC-6(10)</prop>
             <part id="ac-6.10_smt" name="statement">
@@ -3870,7 +3870,7 @@
                   <p>Automated mechanisms implementing least privilege functions for non-privileged users</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-7">
          <title>Unsuccessful Logon Attempts</title>
@@ -3979,13 +3979,13 @@
                <p>Automated mechanisms implementing access control policy for unsuccessful logon attempts</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-7.1">
+         <control class="SP800-53-enhancement" id="ac-7.1">
             <title>Automatic Account Lock</title>
             <prop name="label">AC-7(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-7">AC-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-7.2">
             <title>Purge / Wipe Mobile Device</title>
             <param id="ac-7.2_prm_1">
                <label>organization-defined mobile devices</label>
@@ -4052,7 +4052,7 @@
                   <p>Automated mechanisms implementing access control policy for unsuccessful device logon attempts</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-8">
          <title>System Use Notification</title>
@@ -4235,7 +4235,7 @@
                <p>Automated mechanisms implementing access control policy for previous logon notification</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-9.1">
+         <control class="SP800-53-enhancement" id="ac-9.1">
             <title>Unsuccessful Logons</title>
             <prop name="label">AC-9(1)</prop>
             <part id="ac-9.1_smt" name="statement">
@@ -4269,8 +4269,8 @@
                   <p>Automated mechanisms implementing access control policy for previous logon notification</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-9.2">
             <title>Successful / Unsuccessful Logons</title>
             <param id="ac-9.2_prm_1">
                <select>
@@ -4338,8 +4338,8 @@
                   <p>Automated mechanisms implementing access control policy for previous logon notification</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-9.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-9.3">
             <title>Notification of Account Changes</title>
             <param id="ac-9.3_prm_1">
                <label>organization-defined security-related characteristics/parameters of the user’s account</label>
@@ -4391,8 +4391,8 @@
                   <p>Automated mechanisms implementing access control policy for previous logon notification</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-9.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-9.4">
             <title>Additional Logon Information</title>
             <param id="ac-9.4_prm_1">
                <label>organization-defined information to be included in addition to the date and time of the last logon (access)</label>
@@ -4440,7 +4440,7 @@
                   <p>Automated mechanisms implementing access control policy for previous logon notification</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-10">
          <title>Concurrent Session Control</title>
@@ -4564,7 +4564,7 @@
                <p>Automated mechanisms implementing access control policy for session lock</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-11.1">
+         <control class="SP800-53-enhancement" id="ac-11.1">
             <title>Pattern-hiding Displays</title>
             <prop name="label">AC-11(1)</prop>
             <part id="ac-11.1_smt" name="statement">
@@ -4601,7 +4601,7 @@
                   <p>Information system session lock mechanisms</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-12">
          <title>Session Termination</title>
@@ -4654,7 +4654,7 @@
                <p>Automated mechanisms implementing user session termination</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-12.1">
+         <control class="SP800-53-enhancement" id="ac-12.1">
             <title>User-initiated Logouts / Message Displays</title>
             <param id="ac-12.1_prm_1">
                <label>organization-defined information resources</label>
@@ -4720,7 +4720,7 @@
                   <p>Information system session lock mechanisms</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-13">
          <title>Supervision and Review - Access Control</title>
@@ -4788,12 +4788,12 @@
                <p>organizational personnel with information security responsibilities</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-14.1">
+         <control class="SP800-53-enhancement" id="ac-14.1">
             <title>Necessary Uses</title>
             <prop name="label">AC-14(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-14">AC-14</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-15">
          <title>Automated Marking</title>
@@ -4946,7 +4946,7 @@
                <p>Organizational capability supporting and maintaining the association of security attributes to information in storage, in process, and in transmission</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.1">
+         <control class="SP800-53-enhancement" id="ac-16.1">
             <title>Dynamic Attribute Association</title>
             <param id="ac-16.1_prm_1">
                <label>organization-defined subjects and objects</label>
@@ -5002,8 +5002,8 @@
                   <p>Automated mechanisms implementing dynamic association of security attributes to information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.2">
             <title>Attribute Value Changes by Authorized Individuals</title>
             <prop name="label">AC-16(2)</prop>
             <part id="ac-16.2_smt" name="statement">
@@ -5043,8 +5043,8 @@
                   <p>Automated mechanisms permitting changes to values of security attributes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.3">
             <title>Maintenance of Attribute Associations by Information System</title>
             <param id="ac-16.3_prm_1">
                <label>organization-defined security attributes</label>
@@ -5097,8 +5097,8 @@
                   <p>Automated mechanisms maintaining association and integrity of security attributes to information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.4">
             <title>Association of Attributes by Authorized Individuals</title>
             <param id="ac-16.4_prm_1">
                <label>organization-defined security attributes</label>
@@ -5154,8 +5154,8 @@
                   <p>Automated mechanisms supporting user associations of security attributes to information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.5">
             <title>Attribute Displays for Output Devices</title>
             <param id="ac-16.5_prm_1">
                <label>organization-identified special dissemination, handling, or distribution instructions</label>
@@ -5211,8 +5211,8 @@
                   <p>System output devices displaying security attributes in human-readable form on each object</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.6">
             <title>Maintenance of Attribute Association by Organization</title>
             <param id="ac-16.6_prm_1">
                <label>organization-defined security attributes</label>
@@ -5271,8 +5271,8 @@
                   <p>Automated mechanisms supporting associations of security attributes to subjects and objects</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.7">
             <title>Consistent Attribute Interpretation</title>
             <prop name="label">AC-16(7)</prop>
             <part id="ac-16.7_smt" name="statement">
@@ -5311,8 +5311,8 @@
                   <p>Automated mechanisms implementing access enforcement and information flow enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.8">
             <title>Association Techniques / Technologies</title>
             <param id="ac-16.8_prm_1">
                <label>organization-defined techniques or technologies</label>
@@ -5367,8 +5367,8 @@
                   <p>Automated mechanisms implementing techniques or technologies associating security attributes to information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.9">
             <title>Attribute Reassignment</title>
             <param id="ac-16.9_prm_1">
                <label>organization-defined techniques or procedures</label>
@@ -5416,8 +5416,8 @@
                   <p>Automated mechanisms implementing techniques or procedures for reassigning association of security attributes to information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-16.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-16.10">
             <title>Attribute Configuration by Authorized Individuals</title>
             <prop name="label">AC-16(10)</prop>
             <part id="ac-16.10_smt" name="statement">
@@ -5454,7 +5454,7 @@
                   <p>Automated mechanisms implementing capability for defining or changing security attributes</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-17">
          <title>Remote Access</title>
@@ -5567,7 +5567,7 @@
                <p>Remote access management capability for the information system</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.1">
+         <control class="SP800-53-enhancement" id="ac-17.1">
             <title>Automated Monitoring / Control</title>
             <prop name="label">AC-17(1)</prop>
             <part id="ac-17.1_smt" name="statement">
@@ -5607,8 +5607,8 @@
                   <p>Automated mechanisms monitoring and controlling remote access methods</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.2">
             <title>Protection of Confidentiality / Integrity Using Encryption</title>
             <prop name="label">AC-17(2)</prop>
             <part id="ac-17.2_smt" name="statement">
@@ -5649,8 +5649,8 @@
                   <p>Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.3">
             <title>Managed Access Control Points</title>
             <param id="ac-17.3_prm_1">
                <label>organization-defined number</label>
@@ -5699,8 +5699,8 @@
                   <p>Automated mechanisms routing all remote accesses through managed network access control points</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.4">
             <title>Privileged Commands / Access</title>
             <param id="ac-17.4_prm_1">
                <label>organization-defined needs</label>
@@ -5764,14 +5764,14 @@
                   <p>Automated mechanisms implementing remote access management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.5">
             <title>Monitoring for Unauthorized Connections</title>
             <prop name="label">AC-17(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.6">
             <title>Protection of Information</title>
             <prop name="label">AC-17(6)</prop>
             <part id="ac-17.6_smt" name="statement">
@@ -5801,20 +5801,20 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.7">
             <title>Additional Protection for Security Function Access</title>
             <prop name="label">AC-17(7)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-3.10">AC-3 (10)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.8">
             <title>Disable Nonsecure Network Protocols</title>
             <prop name="label">AC-17(8)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-17.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-17.9">
             <title>Disconnect / Disable Access</title>
             <param id="ac-17.9_prm_1">
                <label>organization-defined time period</label>
@@ -5862,7 +5862,7 @@
                   <p>Automated mechanisms implementing capability to disconnect or disable remote access to information system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-18">
          <title>Wireless Access</title>
@@ -5946,7 +5946,7 @@
                <p>Wireless access management capability for the information system</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-18.1">
+         <control class="SP800-53-enhancement" id="ac-18.1">
             <title>Authentication and Encryption</title>
             <param id="ac-18.1_prm_1">
                <select how-many="one or more">
@@ -5998,14 +5998,14 @@
                   <p>Automated mechanisms implementing wireless access protections to the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-18.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-18.2">
             <title>Monitoring Unauthorized Connections</title>
             <prop name="label">AC-18(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-18.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-18.3">
             <title>Disable Wireless Networking</title>
             <prop name="label">AC-18(3)</prop>
             <part id="ac-18.3_smt" name="statement">
@@ -6041,8 +6041,8 @@
                   <p>Automated mechanisms managing the disabling of wireless networking capabilities internally embedded within information system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-18.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-18.4">
             <title>Restrict Configurations by Users</title>
             <prop name="label">AC-18(4)</prop>
             <part id="ac-18.4_smt" name="statement">
@@ -6088,8 +6088,8 @@
                   <p>Automated mechanisms authorizing independent user configuration of wireless networking capabilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-18.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-18.5">
             <title>Antennas / Transmission Power Levels</title>
             <prop name="label">AC-18(5)</prop>
             <part id="ac-18.5_smt" name="statement">
@@ -6134,7 +6134,7 @@
                   <p>Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-19">
          <title>Access Control for Mobile Devices</title>
@@ -6224,25 +6224,25 @@
                <p>Access control capability authorizing mobile device connections to organizational information systems</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-19.1">
+         <control class="SP800-53-enhancement" id="ac-19.1">
             <title>Use of Writable / Portable Storage Devices</title>
             <prop name="label">AC-19(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-19.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-19.2">
             <title>Use of Personally Owned Portable Storage Devices</title>
             <prop name="label">AC-19(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-19.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-19.3">
             <title>Use of Portable Storage Devices with No Identifiable Owner</title>
             <prop name="label">AC-19(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-19.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-19.4">
             <title>Restrictions for Classified Information</title>
             <param id="ac-19.4_prm_1">
                <label>organization-defined security officials</label>
@@ -6371,8 +6371,8 @@
                   <p>Automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-19.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-19.5">
             <title>Full Device / Container-based Encryption</title>
             <param id="ac-19.5_prm_1">
                <select>
@@ -6430,7 +6430,7 @@
                   <p>Encryption mechanisms protecting confidentiality and integrity of information on mobile devices</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-20">
          <title>Use of External Information Systems</title>
@@ -6493,7 +6493,7 @@
                <p>Automated mechanisms implementing terms and conditions on use of external information systems</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-20.1">
+         <control class="SP800-53-enhancement" id="ac-20.1">
             <title>Limits On Authorized Use</title>
             <prop name="label">AC-20(1)</prop>
             <part id="ac-20.1_smt" name="statement">
@@ -6548,8 +6548,8 @@
                   <p>Automated mechanisms implementing limits on use of external information systems</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-20.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-20.2">
             <title>Portable Storage Devices</title>
             <param id="ac-20.2_prm_1">
                <select>
@@ -6593,8 +6593,8 @@
                   <p>Automated mechanisms implementing restrictions on use of portable storage devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-20.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-20.3">
             <title>Non-organizationally Owned Systems / Components / Devices</title>
             <param id="ac-20.3_prm_1">
                <select>
@@ -6639,8 +6639,8 @@
                   <p>Automated mechanisms implementing restrictions on the use of non-organizationally owned systems/components/devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-20.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-20.4">
             <title>Network Accessible Storage Devices</title>
             <param id="ac-20.4_prm_1">
                <label>organization-defined network accessible storage devices</label>
@@ -6690,7 +6690,7 @@
                   <p>Automated mechanisms prohibiting the use of network accessible storage devices in external information systems</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-21">
          <title>Information Sharing</title>
@@ -6767,7 +6767,7 @@
                <p>Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-21.1">
+         <control class="SP800-53-enhancement" id="ac-21.1">
             <title>Automated Decision Support</title>
             <prop name="label">AC-21(1)</prop>
             <part id="ac-21.1_smt" name="statement">
@@ -6811,8 +6811,8 @@
                   <p>Automated mechanisms implementing access authorizations supporting information sharing/user collaboration decisions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-21.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-21.2">
             <title>Information Search and Retrieval</title>
             <param id="ac-21.2_prm_1">
                <label>organization-defined information sharing restrictions</label>
@@ -6860,7 +6860,7 @@
                   <p>Information system search and retrieval services enforcing information sharing restrictions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-22">
          <title>Publicly Accessible Content</title>
@@ -7058,7 +7058,7 @@
                <p>Automated mechanisms applying established access control decisions and procedures</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ac-24.1">
+         <control class="SP800-53-enhancement" id="ac-24.1">
             <title>Transmit Access Authorization Information</title>
             <param id="ac-24.1_prm_1">
                <label>organization-defined access authorization information</label>
@@ -7121,8 +7121,8 @@
                   <p>Automated mechanisms implementing access enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ac-24.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ac-24.2">
             <title>No User or Process Identity</title>
             <param id="ac-24.2_prm_1">
                <label>organization-defined security attributes</label>
@@ -7171,7 +7171,7 @@
                   <p>Automated mechanisms implementing access enforcement functions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ac-25">
          <title>Reference Monitor</title>
@@ -7460,7 +7460,7 @@
                <p>Automated mechanisms managing security awareness training</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="at-2.1">
+         <control class="SP800-53-enhancement" id="at-2.1">
             <title>Practical Exercises</title>
             <prop name="label">AT-2(1)</prop>
             <part id="at-2.1_smt" name="statement">
@@ -7501,8 +7501,8 @@
                   <p>Automated mechanisms implementing cyber attack simulations in practical exercises</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="at-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="at-2.2">
             <title>Insider Threat</title>
             <prop name="label">AT-2(2)</prop>
             <part id="at-2.2_smt" name="statement">
@@ -7537,7 +7537,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="at-3">
          <title>Role-based Security Training</title>
@@ -7621,7 +7621,7 @@
                <p>Automated mechanisms managing role-based security training</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="at-3.1">
+         <control class="SP800-53-enhancement" id="at-3.1">
             <title>Environmental Controls</title>
             <param id="at-3.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -7678,8 +7678,8 @@
                   <p>organizational personnel with responsibilities for employing and operating environmental controls</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="at-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="at-3.2">
             <title>Physical Security Controls</title>
             <param id="at-3.2_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -7736,8 +7736,8 @@
                   <p>organizational personnel with responsibilities for employing and operating physical security controls</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="at-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="at-3.3">
             <title>Practical Exercises</title>
             <prop name="label">AT-3(3)</prop>
             <part id="at-3.3_smt" name="statement">
@@ -7767,8 +7767,8 @@
                   <p>organizational personnel that participate in security awareness training</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="at-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="at-3.4">
             <title>Suspicious Communications and Anomalous System Behavior</title>
             <param id="at-3.4_prm_1">
                <label>organization-defined indicators of malicious code</label>
@@ -7810,7 +7810,7 @@
                   <p>organizational personnel that participate in security awareness training</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="at-4">
          <title>Security Training Records</title>
@@ -8162,19 +8162,19 @@
                <p>Automated mechanisms implementing information system auditing</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-2.1">
+         <control class="SP800-53-enhancement" id="au-2.1">
             <title>Compilation of Audit Records from Multiple Sources</title>
             <prop name="label">AU-2(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#au-12">AU-12</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-2.2">
             <title>Selection of Audit Events by Component</title>
             <prop name="label">AU-2(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#au-12">AU-12</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-2.3">
             <title>Reviews and Updates</title>
             <param id="au-2.3_prm_1">
                <label>organization-defined frequency</label>
@@ -8223,13 +8223,13 @@
                   <p>Automated mechanisms supporting review and update of auditable events</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-2.4">
+         </control>
+         <control class="SP800-53-enhancement" id="au-2.4">
             <title>Privileged Functions</title>
             <prop name="label">AU-2(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-6.9">AC-6 (9)</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-3">
          <title>Content of Audit Records</title>
@@ -8298,7 +8298,7 @@
                <p>Automated mechanisms implementing information system auditing of auditable events</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-3.1">
+         <control class="SP800-53-enhancement" id="au-3.1">
             <title>Additional Audit Information</title>
             <param id="au-3.1_prm_1">
                <label>organization-defined additional, more detailed information</label>
@@ -8348,8 +8348,8 @@
                   <p>Information system audit capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-3.2">
             <title>Centralized Management of Planned Audit Record Content</title>
             <param id="au-3.2_prm_1">
                <label>organization-defined information system components</label>
@@ -8401,7 +8401,7 @@
                   <p>Information system capability implementing centralized management and configuration of audit record content</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-4">
          <title>Audit Storage Capacity</title>
@@ -8460,7 +8460,7 @@
                <p>Audit record storage capacity and related configuration settings</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-4.1">
+         <control class="SP800-53-enhancement" id="au-4.1">
             <title>Transfer to Alternate Storage</title>
             <param id="au-4.1_prm_1">
                <label>organization-defined frequency</label>
@@ -8510,7 +8510,7 @@
                   <p>Automated mechanisms supporting transfer of audit records onto a different system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-5">
          <title>Response to Audit Processing Failures</title>
@@ -8590,7 +8590,7 @@
                <p>Automated mechanisms implementing information system response to audit processing failures</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-5.1">
+         <control class="SP800-53-enhancement" id="au-5.1">
             <title>Audit Storage Capacity</title>
             <param id="au-5.1_prm_1">
                <label>organization-defined personnel, roles, and/or locations</label>
@@ -8666,8 +8666,8 @@
                   <p>Automated mechanisms implementing audit storage limit warnings</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-5.2">
             <title>Real-time Alerts</title>
             <param id="au-5.2_prm_1">
                <label>organization-defined real-time period</label>
@@ -8744,8 +8744,8 @@
                   <p>Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-5.3">
             <title>Configurable Traffic Volume Thresholds</title>
             <param id="au-5.3_prm_1">
                <select>
@@ -8811,8 +8811,8 @@
                   <p>Information system capability implementing configurable traffic volume thresholds</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="au-5.4">
             <title>Shutdown On Failure</title>
             <param id="au-5.4_prm_1">
                <select>
@@ -8886,7 +8886,7 @@
                   <p>Information system capability invoking system shutdown or degraded operational mode in the event of an audit processing failure</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-6">
          <title>Audit Review, Analysis, and Reporting</title>
@@ -8988,7 +8988,7 @@
                <p>organizational personnel with information security responsibilities</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-6.1">
+         <control class="SP800-53-enhancement" id="au-6.1">
             <title>Process Integration</title>
             <prop name="label">AU-6(1)</prop>
             <part id="au-6.1_smt" name="statement">
@@ -9055,14 +9055,14 @@
                   <p>Automated mechanisms integrating audit review, analysis, and reporting processes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.2">
             <title>Automated Security Alerts</title>
             <prop name="label">AU-6(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.3">
             <title>Correlate Audit Repositories</title>
             <prop name="label">AU-6(3)</prop>
             <part id="au-6.3_smt" name="statement">
@@ -9100,8 +9100,8 @@
                   <p>Automated mechanisms supporting analysis and correlation of audit records</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.4">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.4">
             <title>Central Review and Analysis</title>
             <prop name="label">AU-6(4)</prop>
             <part id="au-6.4_smt" name="statement">
@@ -9141,8 +9141,8 @@
                   <p>Information system capability to centralize review and analysis of audit records</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.5">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.5">
             <title>Integration / Scanning and Monitoring Capabilities</title>
             <param id="au-6.5_prm_1">
                <select how-many="one or more">
@@ -9220,8 +9220,8 @@
                   <p>Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data/information sources</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.6">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.6">
             <title>Correlation with Physical Monitoring</title>
             <prop name="label">AU-6(6)</prop>
             <part id="au-6.6_smt" name="statement">
@@ -9260,8 +9260,8 @@
                   <p>Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.7">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.7">
             <title>Permitted Actions</title>
             <param id="au-6.7_prm_1">
                <select how-many="one or more">
@@ -9314,8 +9314,8 @@
                   <p>Automated mechanisms supporting permitted actions for review, analysis, and reporting of audit information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.8">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.8">
             <title>Full Text Analysis of Privileged Commands</title>
             <prop name="label">AU-6(8)</prop>
             <part id="au-6.8_smt" name="statement">
@@ -9365,8 +9365,8 @@
                   <p>Automated mechanisms implementing capability to perform a full text analysis of audited privilege commands</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.9">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.9">
             <title>Correlation with Information from Nontechnical Sources</title>
             <prop name="label">AU-6(9)</prop>
             <part id="au-6.9_smt" name="statement">
@@ -9404,8 +9404,8 @@
                   <p>Automated mechanisms implementing capability to correlate information from non-technical sources</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-6.10">
+         </control>
+         <control class="SP800-53-enhancement" id="au-6.10">
             <title>Audit Level Adjustment</title>
             <prop name="label">AU-6(10)</prop>
             <part id="au-6.10_smt" name="statement">
@@ -9454,7 +9454,7 @@
                   <p>Automated mechanisms supporting review, analysis, and reporting of audit information</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-7">
          <title>Audit Reduction and Report Generation</title>
@@ -9525,7 +9525,7 @@
                <p>Audit reduction and report generation capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-7.1">
+         <control class="SP800-53-enhancement" id="au-7.1">
             <title>Automatic Processing</title>
             <param id="au-7.1_prm_1">
                <label>organization-defined audit fields within audit records</label>
@@ -9577,8 +9577,8 @@
                   <p>Audit reduction and report generation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-7.2">
             <title>Automatic Sort and Search</title>
             <param id="au-7.2_prm_1">
                <label>organization-defined audit fields within audit records</label>
@@ -9628,7 +9628,7 @@
                   <p>Audit reduction and report generation capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-8">
          <title>Time Stamps</title>
@@ -9699,7 +9699,7 @@
                <p>Automated mechanisms implementing time stamp generation</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-8.1">
+         <control class="SP800-53-enhancement" id="au-8.1">
             <title>Synchronization with Authoritative Time Source</title>
             <param id="au-8.1_prm_1">
                <label>organization-defined frequency</label>
@@ -9781,8 +9781,8 @@
                   <p>Automated mechanisms implementing internal information system clock synchronization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-8.2">
             <title>Secondary Authoritative Time Source</title>
             <prop name="label">AU-8(2)</prop>
             <part id="au-8.2_smt" name="statement">
@@ -9816,7 +9816,7 @@
                   <p>Automated mechanisms implementing internal information system clock authoritative time sources</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-9">
          <title>Protection of Audit Information</title>
@@ -9896,7 +9896,7 @@
                <p>Automated mechanisms implementing audit information protection</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-9.1">
+         <control class="SP800-53-enhancement" id="au-9.1">
             <title>Hardware Write-once Media</title>
             <prop name="label">AU-9(1)</prop>
             <part id="au-9.1_smt" name="statement">
@@ -9939,8 +9939,8 @@
                   <p>Information system media storing audit trails</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-9.2">
             <title>Audit Backup On Separate Physical Systems / Components</title>
             <param id="au-9.2_prm_1">
                <label>organization-defined frequency</label>
@@ -9992,8 +9992,8 @@
                   <p>Automated mechanisms implementing the backing up of audit records</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-9.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-9.3">
             <title>Cryptographic Protection</title>
             <prop name="label">AU-9(3)</prop>
             <part id="au-9.3_smt" name="statement">
@@ -10043,8 +10043,8 @@
                   <p>Cryptographic mechanisms protecting integrity of audit information and tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-9.4">
+         </control>
+         <control class="SP800-53-enhancement" id="au-9.4">
             <title>Access by Subset of Privileged Users</title>
             <param id="au-9.4_prm_1">
                <label>organization-defined subset of privileged users</label>
@@ -10096,8 +10096,8 @@
                   <p>Automated mechanisms managing access to audit functionality</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-9.5">
+         </control>
+         <control class="SP800-53-enhancement" id="au-9.5">
             <title>Dual Authorization</title>
             <param id="au-9.5_prm_1">
                <select how-many="one or more">
@@ -10166,8 +10166,8 @@
                   <p>Automated mechanisms implementing enforcement of dual authorization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-9.6">
+         </control>
+         <control class="SP800-53-enhancement" id="au-9.6">
             <title>Read Only Access</title>
             <param id="au-9.6_prm_1">
                <label>organization-defined subset of privileged users</label>
@@ -10218,7 +10218,7 @@
                   <p>Automated mechanisms managing access to audit information</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-10">
          <title>Non-repudiation</title>
@@ -10274,7 +10274,7 @@
                <p>Automated mechanisms implementing non-repudiation capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-10.1">
+         <control class="SP800-53-enhancement" id="au-10.1">
             <title>Association of Identities</title>
             <param id="au-10.1_prm_1">
                <label>organization-defined strength of binding</label>
@@ -10341,8 +10341,8 @@
                   <p>Automated mechanisms implementing non-repudiation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-10.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-10.2">
             <title>Validate Binding of Information Producer Identity</title>
             <param id="au-10.2_prm_1">
                <label>organization-defined frequency</label>
@@ -10421,8 +10421,8 @@
                   <p>Automated mechanisms implementing non-repudiation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-10.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-10.3">
             <title>Chain of Custody</title>
             <prop name="label">AU-10(3)</prop>
             <part id="au-10.3_smt" name="statement">
@@ -10478,8 +10478,8 @@
                   <p>Automated mechanisms implementing non-repudiation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-10.4">
+         </control>
+         <control class="SP800-53-enhancement" id="au-10.4">
             <title>Validate Binding of Information Reviewer Identity</title>
             <param id="au-10.4_prm_1">
                <label>organization-defined security domains</label>
@@ -10557,13 +10557,13 @@
                   <p>Automated mechanisms implementing non-repudiation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-10.5">
+         </control>
+         <control class="SP800-53-enhancement" id="au-10.5">
             <title>Digital Signatures</title>
             <prop name="label">AU-10(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-11">
          <title>Audit Record Retention</title>
@@ -10621,7 +10621,7 @@
                <p>system/network administrators</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-11.1">
+         <control class="SP800-53-enhancement" id="au-11.1">
             <title>Long-term Retrieval Capability</title>
             <param id="au-11.1_prm_1">
                <label>organization-defined measures</label>
@@ -10671,7 +10671,7 @@
                   <p>Automated mechanisms implementing audit record retention capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-12">
          <title>Audit Generation</title>
@@ -10762,7 +10762,7 @@
                <p>Automated mechanisms implementing audit record generation capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-12.1">
+         <control class="SP800-53-enhancement" id="au-12.1">
             <title>System-wide / Time-correlated Audit Trail</title>
             <param id="au-12.1_prm_1">
                <label>organization-defined information system components</label>
@@ -10821,8 +10821,8 @@
                   <p>Automated mechanisms implementing audit record generation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-12.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-12.2">
             <title>Standardized Formats</title>
             <prop name="label">AU-12(2)</prop>
             <part id="au-12.2_smt" name="statement">
@@ -10861,8 +10861,8 @@
                   <p>Automated mechanisms implementing audit record generation capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-12.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-12.3">
             <title>Changes by Authorized Individuals</title>
             <param id="au-12.3_prm_1">
                <label>organization-defined individuals or roles</label>
@@ -10934,7 +10934,7 @@
                   <p>Automated mechanisms implementing audit record generation capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-13">
          <title>Monitoring for Information Disclosure</title>
@@ -10993,7 +10993,7 @@
                <p>Automated mechanisms implementing monitoring for information disclosure</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-13.1">
+         <control class="SP800-53-enhancement" id="au-13.1">
             <title>Use of Automated Tools</title>
             <prop name="label">AU-13(1)</prop>
             <part id="au-13.1_smt" name="statement">
@@ -11030,8 +11030,8 @@
                   <p>Automated mechanisms implementing monitoring for information disclosure</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-13.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-13.2">
             <title>Review of Monitored Sites</title>
             <param id="au-13.2_prm_1">
                <label>organization-defined frequency</label>
@@ -11076,7 +11076,7 @@
                   <p>Automated mechanisms implementing monitoring for information disclosure</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-14">
          <title>Session Audit</title>
@@ -11128,7 +11128,7 @@
                <p>Automated mechanisms implementing user session auditing capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-14.1">
+         <control class="SP800-53-enhancement" id="au-14.1">
             <title>System Start-up</title>
             <prop name="label">AU-14(1)</prop>
             <part id="au-14.1_smt" name="statement">
@@ -11162,8 +11162,8 @@
                   <p>Automated mechanisms implementing user session auditing capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-14.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-14.2">
             <title>Capture/record and Log Content</title>
             <prop name="label">AU-14(2)</prop>
             <part id="au-14.2_smt" name="statement">
@@ -11205,8 +11205,8 @@
                   <p>Automated mechanisms implementing user session auditing capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-14.3">
+         </control>
+         <control class="SP800-53-enhancement" id="au-14.3">
             <title>Remote Viewing / Listening</title>
             <prop name="label">AU-14(3)</prop>
             <part id="au-14.3_smt" name="statement">
@@ -11240,7 +11240,7 @@
                   <p>Automated mechanisms implementing user session auditing capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="au-15">
          <title>Alternate Audit Capability</title>
@@ -11348,7 +11348,7 @@
                <p>Automated mechanisms implementing cross-organizational auditing (if applicable)</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="au-16.1">
+         <control class="SP800-53-enhancement" id="au-16.1">
             <title>Identity Preservation</title>
             <prop name="label">AU-16(1)</prop>
             <part id="au-16.1_smt" name="statement">
@@ -11384,8 +11384,8 @@
                   <p>Automated mechanisms implementing cross-organizational auditing (if applicable)</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="au-16.2">
+         </control>
+         <control class="SP800-53-enhancement" id="au-16.2">
             <title>Sharing of Audit Information</title>
             <param id="au-16.2_prm_1">
                <label>organization-defined organizations</label>
@@ -11432,7 +11432,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
    </group>
    <group class="family" id="ca">
@@ -11725,7 +11725,7 @@
                <p>Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ca-2.1">
+         <control class="SP800-53-enhancement" id="ca-2.1">
             <title>Independent Assessors</title>
             <param id="ca-2.1_prm_1">
                <label>organization-defined level of independence</label>
@@ -11764,8 +11764,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-2.2">
             <title>Specialized Assessments</title>
             <param id="ca-2.2_prm_1">
                <label>organization-defined frequency</label>
@@ -11866,8 +11866,8 @@
                   <p>Automated mechanisms supporting security control assessment</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-2.3">
             <title>External Organizations</title>
             <param id="ca-2.3_prm_1">
                <label>organization-defined information system</label>
@@ -11926,7 +11926,7 @@
                   <p>personnel performing security assessments for the specified external organization</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ca-3">
          <title>System Interconnections</title>
@@ -12020,7 +12020,7 @@
                <p>personnel managing the system(s) to which the Interconnection Security Agreement applies</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ca-3.1">
+         <control class="SP800-53-enhancement" id="ca-3.1">
             <title>Unclassified National Security System Connections</title>
             <param id="ca-3.1_prm_1">
                <label>organization-defined unclassified, national security system</label>
@@ -12080,8 +12080,8 @@
                   <p>Automated mechanisms supporting the management of external network connections</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-3.2">
             <title>Classified National Security System Connections</title>
             <param id="ca-3.2_prm_1">
                <label>organization-defined boundary protection device</label>
@@ -12134,8 +12134,8 @@
                   <p>Automated mechanisms supporting the management of external network connections</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-3.3">
             <title>Unclassified Non-national Security System Connections</title>
             <param id="ca-3.3_prm_1">
                <label>organization-defined unclassified, non-national security system</label>
@@ -12195,8 +12195,8 @@
                   <p>Automated mechanisms supporting the management of external network connections</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-3.4">
             <title>Connections to Public Networks</title>
             <param id="ca-3.4_prm_1">
                <label>organization-defined information system</label>
@@ -12247,8 +12247,8 @@
                   <p>Automated mechanisms supporting the management of public network connections</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-3.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-3.5">
             <title>Restrictions On External System Connections</title>
             <param id="ca-3.5_prm_1">
                <select>
@@ -12323,7 +12323,7 @@
                   <p>Automated mechanisms implementing restrictions on external system connections</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ca-4">
          <title>Security Certification</title>
@@ -12421,7 +12421,7 @@
                <p>Automated mechanisms for developing, implementing, and maintaining plan of action and milestones</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ca-5.1">
+         <control class="SP800-53-enhancement" id="ca-5.1">
             <title>Automation Support for Accuracy / Currency</title>
             <prop name="label">CA-5(1)</prop>
             <part id="ca-5.1_smt" name="statement">
@@ -12466,7 +12466,7 @@
                   <p>Automated mechanisms for developing, implementing and maintaining plan of action and milestones</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ca-6">
          <title>Security Authorization</title>
@@ -12749,7 +12749,7 @@
                <p>Mechanisms implementing continuous monitoring</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ca-7.1">
+         <control class="SP800-53-enhancement" id="ca-7.1">
             <title>Independent Assessment</title>
             <param id="ca-7.1_prm_1">
                <label>organization-defined level of independence</label>
@@ -12793,14 +12793,14 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-7.2">
             <title>Types of Assessments</title>
             <prop name="label">CA-7(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ca-2">CA-2</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-7.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-7.3">
             <title>Trend Analyses</title>
             <prop name="label">CA-7(3)</prop>
             <part id="ca-7.3_smt" name="statement">
@@ -12846,7 +12846,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ca-8">
          <title>Penetration Testing</title>
@@ -12905,7 +12905,7 @@
                <p>Automated mechanisms supporting penetration testing</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ca-8.1">
+         <control class="SP800-53-enhancement" id="ca-8.1">
             <title>Independent Penetration Agent or Team</title>
             <prop name="label">CA-8(1)</prop>
             <part id="ca-8.1_smt" name="statement">
@@ -12938,8 +12938,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ca-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ca-8.2">
             <title>Red Team Exercises</title>
             <param id="ca-8.2_prm_1">
                <label>organization-defined red team exercises</label>
@@ -12999,7 +12999,7 @@
                   <p>Automated mechanisms supporting employment of red team exercises</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ca-9">
          <title>Internal System Connections</title>
@@ -13084,7 +13084,7 @@
                <p>organizational personnel with information security responsibilities</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ca-9.1">
+         <control class="SP800-53-enhancement" id="ca-9.1">
             <title>Security Compliance Checks</title>
             <prop name="label">CA-9(1)</prop>
             <part id="ca-9.1_smt" name="statement">
@@ -13125,7 +13125,7 @@
                   <p>Automated mechanisms supporting compliance checks</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
    </group>
    <group class="family" id="cm">
@@ -13337,7 +13337,7 @@
                <p>automated mechanisms supporting configuration control of the baseline configuration</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.1">
+         <control class="SP800-53-enhancement" id="cm-2.1">
             <title>Reviews and Updates</title>
             <param id="cm-2.1_prm_1">
                <label>organization-defined frequency</label>
@@ -13426,8 +13426,8 @@
                   <p>automated mechanisms supporting review and update of the baseline configuration</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-2.2">
             <title>Automation Support for Accuracy / Currency</title>
             <prop name="label">CM-2(2)</prop>
             <part id="cm-2.2_smt" name="statement">
@@ -13485,8 +13485,8 @@
                   <p>automated mechanisms implementing baseline configuration maintenance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-2.3">
             <title>Retention of Previous Configurations</title>
             <param id="cm-2.3_prm_1">
                <label>organization-defined previous versions of baseline configurations of the information system</label>
@@ -13535,20 +13535,20 @@
                   <p>Organizational processes for managing baseline configurations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-2.4">
             <title>Unauthorized Software</title>
             <prop name="label">CM-2(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-2.5">
             <title>Authorized Software</title>
             <prop name="label">CM-2(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-2.6">
             <title>Development and Test Environments</title>
             <prop name="label">CM-2(6)</prop>
             <part id="cm-2.6_smt" name="statement">
@@ -13590,8 +13590,8 @@
                   <p>automated mechanisms implementing separate baseline configurations for development, test, and operational environments</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-2.7">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-2.7">
             <title>Configure Systems, Components, or Devices for High-risk Areas</title>
             <param id="cm-2.7_prm_1">
                <label>organization-defined information systems, system components, or devices</label>
@@ -13677,7 +13677,7 @@
                   <p>Organizational processes for managing baseline configurations</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-3">
          <title>Configuration Change Control</title>
@@ -13828,7 +13828,7 @@
                <p>automated mechanisms that implement configuration change control</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-3.1">
+         <control class="SP800-53-enhancement" id="cm-3.1">
             <title>Automated Document / Notification / Prohibition of Changes</title>
             <param id="cm-3.1_prm_1">
                <label>organized-defined approval authorities</label>
@@ -13954,8 +13954,8 @@
                   <p>automated mechanisms implementing configuration change control activities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-3.2">
             <title>Test / Validate / Document Changes</title>
             <prop name="label">CM-3(2)</prop>
             <part id="cm-3.2_smt" name="statement">
@@ -14010,8 +14010,8 @@
                   <p>automated mechanisms supporting and/or implementing testing, validating, and documenting information system changes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-3.3">
             <title>Automated Change Implementation</title>
             <prop name="label">CM-3(3)</prop>
             <part id="cm-3.3_smt" name="statement">
@@ -14058,8 +14058,8 @@
                   <p>automated mechanisms implementing changes to current information system baseline</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-3.4">
             <title>Security Representative</title>
             <param id="cm-3.4_prm_1">
                <label>organization-defined configuration change control element</label>
@@ -14105,8 +14105,8 @@
                   <p>Organizational processes for configuration change control</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-3.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-3.5">
             <title>Automated Security Response</title>
             <param id="cm-3.5_prm_1">
                <label>organization-defined security responses</label>
@@ -14160,8 +14160,8 @@
                   <p>automated mechanisms implementing security responses to changes to the baseline configurations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-3.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-3.6">
             <title>Cryptography Management</title>
             <param id="cm-3.6_prm_1">
                <label>organization-defined security safeguards</label>
@@ -14213,7 +14213,7 @@
                   <p>cryptographic mechanisms implementing organizational security safeguards</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-4">
          <title>Security Impact Analysis</title>
@@ -14263,7 +14263,7 @@
                <p>Organizational processes for security impact analysis</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-4.1">
+         <control class="SP800-53-enhancement" id="cm-4.1">
             <title>Separate Test Environments</title>
             <prop name="label">CM-4(1)</prop>
             <part id="cm-4.1_smt" name="statement">
@@ -14332,8 +14332,8 @@
                   <p>automated mechanisms supporting and/or implementing security impact analysis of changes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-4.2">
             <title>Verification of Security Functions</title>
             <prop name="label">CM-4(2)</prop>
             <part id="cm-4.2_smt" name="statement">
@@ -14386,7 +14386,7 @@
                   <p>automated mechanisms supporting and/or implementing verification of security functions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-5">
          <title>Access Restrictions for Change</title>
@@ -14468,7 +14468,7 @@
                <p>automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.1">
+         <control class="SP800-53-enhancement" id="cm-5.1">
             <title>Automated Access Enforcement / Auditing</title>
             <prop name="label">CM-5(1)</prop>
             <part id="cm-5.1_smt" name="statement">
@@ -14521,8 +14521,8 @@
                   <p>automated mechanisms supporting auditing of enforcement actions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-5.2">
             <title>Review System Changes</title>
             <param id="cm-5.2_prm_1">
                <label>organization-defined frequency</label>
@@ -14590,8 +14590,8 @@
                   <p>automated mechanisms supporting/implementing information system reviews to determine whether unauthorized changes have occurred</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-5.3">
             <title>Signed Components</title>
             <param id="cm-5.3_prm_1">
                <label>organization-defined software and firmware components</label>
@@ -14648,8 +14648,8 @@
                   <p>automated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-5.4">
             <title>Dual Authorization</title>
             <param id="cm-5.4_prm_1">
                <label>organization-defined information system components and system-level information</label>
@@ -14704,8 +14704,8 @@
                   <p>automated mechanisms implementing dual authorization enforcement</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-5.5">
             <title>Limit Production / Operational Privileges</title>
             <param id="cm-5.5_prm_1">
                <label>organization-defined frequency</label>
@@ -14777,8 +14777,8 @@
                   <p>automated mechanisms supporting and/or implementing access restrictions for change</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-5.6">
             <title>Limit Library Privileges</title>
             <prop name="label">CM-5(6)</prop>
             <part id="cm-5.6_smt" name="statement">
@@ -14819,13 +14819,13 @@
                   <p>automated mechanisms supporting and/or implementing access restrictions for change</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-5.7">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-5.7">
             <title>Automatic Implementation of Security Safeguards</title>
             <prop name="label">CM-5(7)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-6">
          <title>Configuration Settings</title>
@@ -14986,7 +14986,7 @@
                <p>automated mechanisms that identify and/or document deviations from established configuration settings</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-6.1">
+         <control class="SP800-53-enhancement" id="cm-6.1">
             <title>Automated Central Management / Application / Verification</title>
             <param id="cm-6.1_prm_1">
                <label>organization-defined information system components</label>
@@ -15064,8 +15064,8 @@
                   <p>automated mechanisms implemented to centrally manage, apply, and verify information system configuration settings</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-6.2">
             <title>Respond to Unauthorized Changes</title>
             <param id="cm-6.2_prm_1">
                <label>organization-defined security safeguards</label>
@@ -15128,19 +15128,19 @@
                   <p>automated mechanisms supporting and/or implementing security safeguards for response to unauthorized changes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-6.3">
             <title>Unauthorized Change Detection</title>
             <prop name="label">CM-6(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-6.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-6.4">
             <title>Conformance Demonstration</title>
             <prop name="label">CM-6(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cm-4">CM-4</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-7">
          <title>Least Functionality</title>
@@ -15246,7 +15246,7 @@
                <p>automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-7.1">
+         <control class="SP800-53-enhancement" id="cm-7.1">
             <title>Periodic Review</title>
             <param id="cm-7.1_prm_1">
                <label>organization-defined frequency</label>
@@ -15394,8 +15394,8 @@
                   <p>automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-7.2">
             <title>Prevent Program Execution</title>
             <param id="cm-7.2_prm_1">
                <select how-many="one or more">
@@ -15465,8 +15465,8 @@
                   <p>automated mechanisms supporting and/or implementing software program usage and restrictions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-7.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-7.3">
             <title>Registration Compliance</title>
             <param id="cm-7.3_prm_1">
                <label>organization-defined registration requirements for functions, ports, protocols, and services</label>
@@ -15548,8 +15548,8 @@
                   <p>automated mechanisms implementing compliance with registration requirements for functions, ports, protocols, and/or services</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-7.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-7.4">
             <title>Unauthorized Software / Blacklisting</title>
             <param id="cm-7.4_prm_1">
                <label>organization-defined software programs not authorized to execute on the information system</label>
@@ -15636,8 +15636,8 @@
                   <p>automated mechanisms supporting and/or implementing blacklisting</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-7.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-7.5">
             <title>Authorized Software / Whitelisting</title>
             <param id="cm-7.5_prm_1">
                <label>organization-defined software programs authorized to execute on the information system</label>
@@ -15728,7 +15728,7 @@
                   <p>automated mechanisms implementing whitelisting</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-8">
          <title>Information System Component Inventory</title>
@@ -15840,7 +15840,7 @@
                <p>automated mechanisms supporting and/or implementing the information system component inventory</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.1">
+         <control class="SP800-53-enhancement" id="cm-8.1">
             <title>Updates During Installations / Removals</title>
             <prop name="label">CM-8(1)</prop>
             <part id="cm-8.1_smt" name="statement">
@@ -15890,8 +15890,8 @@
                   <p>automated mechanisms implementing updating of the information system component inventory</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.2">
             <title>Automated Maintenance</title>
             <prop name="label">CM-8(2)</prop>
             <part id="cm-8.2_smt" name="statement">
@@ -15951,8 +15951,8 @@
                   <p>automated mechanisms implementing the information system component inventory</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.3">
             <title>Automated Unauthorized Component Detection</title>
             <param id="cm-8.3_prm_1">
                <label>organization-defined frequency</label>
@@ -16086,8 +16086,8 @@
                   <p>automated mechanisms implementing the detection of unauthorized information system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.4">
             <title>Accountability Information</title>
             <param id="cm-8.4_prm_1">
                <select how-many="one or more">
@@ -16144,8 +16144,8 @@
                   <p>automated mechanisms implementing the information system component inventory</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.5">
             <title>No Duplicate Accounting of Components</title>
             <prop name="label">CM-8(5)</prop>
             <part id="cm-8.5_smt" name="statement">
@@ -16184,8 +16184,8 @@
                   <p>automated mechanisms implementing the information system component inventory</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.6">
             <title>Assessed Configurations / Approved Deviations</title>
             <prop name="label">CM-8(6)</prop>
             <part id="cm-8.6_smt" name="statement">
@@ -16235,8 +16235,8 @@
                   <p>automated mechanisms implementing the information system component inventory</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.7">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.7">
             <title>Centralized Repository</title>
             <prop name="label">CM-8(7)</prop>
             <part id="cm-8.7_smt" name="statement">
@@ -16273,8 +16273,8 @@
                   <p>Automated mechanisms implementing the information system component inventory in a centralized repository</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.8">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.8">
             <title>Automated Location Tracking</title>
             <prop name="label">CM-8(8)</prop>
             <part id="cm-8.8_smt" name="statement">
@@ -16315,8 +16315,8 @@
                   <p>automated mechanisms supporting tracking of information system components by geographic location</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-8.9">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-8.9">
             <title>Assignment of Components to Systems</title>
             <param id="cm-8.9_prm_1">
                <label>organization-defined acquired information system components</label>
@@ -16388,7 +16388,7 @@
                   <p>automated mechanisms implementing acknowledgment of assignment of acquired components to the information system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-9">
          <title>Configuration Management Plan</title>
@@ -16506,7 +16506,7 @@
                <p>automated mechanisms for protecting the configuration management plan</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-9.1">
+         <control class="SP800-53-enhancement" id="cm-9.1">
             <title>Assignment of Responsibility</title>
             <prop name="label">CM-9(1)</prop>
             <part id="cm-9.1_smt" name="statement">
@@ -16535,7 +16535,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-10">
          <title>Software Usage Restrictions</title>
@@ -16608,7 +16608,7 @@
                <p>automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-10.1">
+         <control class="SP800-53-enhancement" id="cm-10.1">
             <title>Open Source Software</title>
             <param id="cm-10.1_prm_1">
                <label>organization-defined restrictions</label>
@@ -16656,7 +16656,7 @@
                   <p>automated mechanisms implementing restrictions on the use of open source software</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cm-11">
          <title>User-installed Software</title>
@@ -16765,7 +16765,7 @@
                <p>automated mechanisms monitoring policy compliance</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cm-11.1">
+         <control class="SP800-53-enhancement" id="cm-11.1">
             <title>Alerts for Unauthorized Installations</title>
             <param id="cm-11.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -16819,8 +16819,8 @@
                   <p>automated mechanisms for alerting personnel/roles when unauthorized installation of software is detected</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cm-11.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cm-11.2">
             <title>Prohibit Installation Without Privileged Status</title>
             <prop name="label">CM-11(2)</prop>
             <part id="cm-11.2_smt" name="statement">
@@ -16861,7 +16861,7 @@
                   <p>automated mechanisms for prohibiting installation of software without privileged status (e.g., access controls)</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
    </group>
    <group class="family" id="cp">
@@ -17244,7 +17244,7 @@
                <p>automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.1">
+         <control class="SP800-53-enhancement" id="cp-2.1">
             <title>Coordinate with Related Plans</title>
             <prop name="label">CP-2(1)</prop>
             <part id="cp-2.1_smt" name="statement">
@@ -17282,8 +17282,8 @@
                   <p>personnel with responsibility for related plans</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.2">
             <title>Capacity Planning</title>
             <prop name="label">CP-2(2)</prop>
             <part id="cp-2.2_smt" name="statement">
@@ -17324,8 +17324,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.3">
             <title>Resume Essential Missions / Business Functions</title>
             <param id="cp-2.3_prm_1">
                <label>organization-defined time period</label>
@@ -17374,8 +17374,8 @@
                   <p>Organizational processes for resumption of missions and business functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.4">
             <title>Resume All Missions / Business Functions</title>
             <param id="cp-2.4_prm_1">
                <label>organization-defined time period</label>
@@ -17424,8 +17424,8 @@
                   <p>Organizational processes for resumption of missions and business functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.5">
             <title>Continue Essential Missions / Business Functions</title>
             <prop name="label">CP-2(5)</prop>
             <part id="cp-2.5_smt" name="statement">
@@ -17475,8 +17475,8 @@
                   <p>Organizational processes for continuing missions and business functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.6">
             <title>Alternate Processing / Storage Site</title>
             <prop name="label">CP-2(6)</prop>
             <part id="cp-2.6_smt" name="statement">
@@ -17524,8 +17524,8 @@
                   <p>Organizational processes for transfer of essential missions and business functions to alternate processing/storage sites</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.7">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.7">
             <title>Coordinate with External Service Providers</title>
             <prop name="label">CP-2(7)</prop>
             <part id="cp-2.7_smt" name="statement">
@@ -17560,8 +17560,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-2.8">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-2.8">
             <title>Identify Critical Assets</title>
             <prop name="label">CP-2(8)</prop>
             <part id="cp-2.8_smt" name="statement">
@@ -17593,7 +17593,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-3">
          <title>Contingency Training</title>
@@ -17684,7 +17684,7 @@
                <p>Organizational processes for contingency training</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-3.1">
+         <control class="SP800-53-enhancement" id="cp-3.1">
             <title>Simulated Events</title>
             <prop name="label">CP-3(1)</prop>
             <part id="cp-3.1_smt" name="statement">
@@ -17718,8 +17718,8 @@
                   <p>automated mechanisms for simulating contingency events</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-3.2">
             <title>Automated Training Environments</title>
             <prop name="label">CP-3(2)</prop>
             <part id="cp-3.2_smt" name="statement">
@@ -17753,7 +17753,7 @@
                   <p>automated mechanisms for providing contingency training environments</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-4">
          <title>Contingency Plan Testing</title>
@@ -17841,7 +17841,7 @@
                <p>automated mechanisms supporting the contingency plan and/or contingency plan testing</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-4.1">
+         <control class="SP800-53-enhancement" id="cp-4.1">
             <title>Coordinate with Related Plans</title>
             <prop name="label">CP-4(1)</prop>
             <part id="cp-4.1_smt" name="statement">
@@ -17883,8 +17883,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-4.2">
             <title>Alternate Processing Site</title>
             <prop name="label">CP-4(2)</prop>
             <part id="cp-4.2_smt" name="statement">
@@ -17941,8 +17941,8 @@
                   <p>automated mechanisms supporting the contingency plan and/or contingency plan testing</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-4.3">
             <title>Automated Testing</title>
             <prop name="label">CP-4(3)</prop>
             <part id="cp-4.3_smt" name="statement">
@@ -17980,8 +17980,8 @@
                   <p>automated mechanisms supporting contingency plan testing</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-4.4">
             <title>Full Recovery / Reconstitution</title>
             <prop name="label">CP-4(4)</prop>
             <part id="cp-4.4_smt" name="statement">
@@ -18029,7 +18029,7 @@
                   <p>automated mechanisms supporting recovery and reconstitution of the information system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-5">
          <title>Contingency Plan Update</title>
@@ -18097,7 +18097,7 @@
                <p>automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-6.1">
+         <control class="SP800-53-enhancement" id="cp-6.1">
             <title>Separation from Primary Site</title>
             <prop name="label">CP-6(1)</prop>
             <part id="cp-6.1_smt" name="statement">
@@ -18130,8 +18130,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-6.2">
             <title>Recovery Time / Point Objectives</title>
             <prop name="label">CP-6(2)</prop>
             <part id="cp-6.2_smt" name="statement">
@@ -18167,8 +18167,8 @@
                   <p>automated mechanisms supporting recovery time/point objectives</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-6.3">
             <title>Accessibility</title>
             <prop name="label">CP-6(3)</prop>
             <part id="cp-6.3_smt" name="statement">
@@ -18210,7 +18210,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-7">
          <title>Alternate Processing Site</title>
@@ -18307,7 +18307,7 @@
                <p>automated mechanisms supporting and/or implementing recovery at the alternate processing site</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-7.1">
+         <control class="SP800-53-enhancement" id="cp-7.1">
             <title>Separation from Primary Site</title>
             <prop name="label">CP-7(1)</prop>
             <part id="cp-7.1_smt" name="statement">
@@ -18340,8 +18340,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-7.2">
             <title>Accessibility</title>
             <prop name="label">CP-7(2)</prop>
             <part id="cp-7.2_smt" name="statement">
@@ -18382,8 +18382,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-7.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-7.3">
             <title>Priority of Service</title>
             <prop name="label">CP-7(3)</prop>
             <part id="cp-7.3_smt" name="statement">
@@ -18415,8 +18415,8 @@
                   <p>organizational personnel with responsibility for acquisitions/contractual agreements</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-7.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-7.4">
             <title>Preparation for Use</title>
             <prop name="label">CP-7(4)</prop>
             <part id="cp-7.4_smt" name="statement">
@@ -18456,14 +18456,14 @@
                   <p>Automated mechanisms supporting and/or implementing recovery at the alternate processing site</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-7.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-7.5">
             <title>Equivalent Information Security Safeguards</title>
             <prop name="label">CP-7(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cp-7">CP-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-7.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-7.6">
             <title>Inability to Return to Primary Site</title>
             <prop name="label">CP-7(6)</prop>
             <part id="cp-7.6_smt" name="statement">
@@ -18491,7 +18491,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-8">
          <title>Telecommunications Services</title>
@@ -18554,7 +18554,7 @@
                <p>Automated mechanisms supporting telecommunications</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-8.1">
+         <control class="SP800-53-enhancement" id="cp-8.1">
             <title>Priority of Service Provisions</title>
             <prop name="label">CP-8(1)</prop>
             <part id="cp-8.1_smt" name="statement">
@@ -18608,8 +18608,8 @@
                   <p>Automated mechanisms supporting telecommunications</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-8.2">
             <title>Single Points of Failure</title>
             <prop name="label">CP-8(2)</prop>
             <part id="cp-8.2_smt" name="statement">
@@ -18637,8 +18637,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-8.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-8.3">
             <title>Separation of Primary / Alternate Providers</title>
             <prop name="label">CP-8(3)</prop>
             <part id="cp-8.3_smt" name="statement">
@@ -18671,8 +18671,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-8.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-8.4">
             <title>Provider Contingency Plan</title>
             <param id="cp-8.4_prm_1">
                <label>organization-defined frequency</label>
@@ -18749,8 +18749,8 @@
                   <p>organizational personnel with responsibility for acquisitions/contractual agreements</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-8.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-8.5">
             <title>Alternate Telecommunication Service Testing</title>
             <param id="cp-8.5_prm_1">
                <label>organization-defined frequency</label>
@@ -18795,7 +18795,7 @@
                   <p>Automated mechanisms supporting testing alternate telecommunications services</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-9">
          <title>Information System Backup</title>
@@ -18902,7 +18902,7 @@
                <p>automated mechanisms supporting and/or implementing information system backups</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.1">
+         <control class="SP800-53-enhancement" id="cp-9.1">
             <title>Testing for Reliability / Integrity</title>
             <param id="cp-9.1_prm_1">
                <label>organization-defined frequency</label>
@@ -18951,8 +18951,8 @@
                   <p>automated mechanisms supporting and/or implementing information system backups</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-9.2">
             <title>Test Restoration Using Sampling</title>
             <prop name="label">CP-9(2)</prop>
             <part id="cp-9.2_smt" name="statement">
@@ -18991,8 +18991,8 @@
                   <p>automated mechanisms supporting and/or implementing information system backups</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-9.3">
             <title>Separate Storage for Critical Information</title>
             <param id="cp-9.3_prm_1">
                <label>organization-defined critical information system software and other security-related information</label>
@@ -19044,14 +19044,14 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-9.4">
             <title>Protection from Unauthorized Modification</title>
             <prop name="label">CP-9(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cp-9">CP-9</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-9.5">
             <title>Transfer to Alternate Storage Site</title>
             <param id="cp-9.5_prm_1">
                <label>organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives</label>
@@ -19105,8 +19105,8 @@
                   <p>automated mechanisms supporting and/or implementing information transfer to the alternate storage site</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-9.6">
             <title>Redundant Secondary System</title>
             <prop name="label">CP-9(6)</prop>
             <part id="cp-9.6_smt" name="statement">
@@ -19157,8 +19157,8 @@
                   <p>automated mechanisms supporting and/or implementing information transfer to a redundant secondary system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-9.7">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-9.7">
             <title>Dual Authorization</title>
             <param id="cp-9.7_prm_1">
                <label>organization-defined backup information</label>
@@ -19210,7 +19210,7 @@
                   <p>automated mechanisms supporting and/or implementing deletion/destruction of backup information</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-10">
          <title>Information System Recovery and Reconstitution</title>
@@ -19294,13 +19294,13 @@
                <p>automated mechanisms supporting and/or implementing information system recovery and reconstitution operations</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="cp-10.1">
+         <control class="SP800-53-enhancement" id="cp-10.1">
             <title>Contingency Plan Testing</title>
             <prop name="label">CP-10(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cp-4">CP-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-10.2">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-10.2">
             <title>Transaction Recovery</title>
             <prop name="label">CP-10(2)</prop>
             <part id="cp-10.2_smt" name="statement">
@@ -19340,14 +19340,14 @@
                   <p>Automated mechanisms supporting and/or implementing transaction recovery capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-10.3">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-10.3">
             <title>Compensating Security Controls</title>
             <prop name="label">CP-10(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="https://doi.org/10.6028/NIST.SP.800-53r4">Chapter 3</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-10.4">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-10.4">
             <title>Restore Within Time Period</title>
             <param id="cp-10.4_prm_1">
                <label>organization-defined restoration time-periods</label>
@@ -19398,14 +19398,14 @@
                   <p>Automated mechanisms supporting and/or implementing recovery/reconstitution of information system information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-10.5">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-10.5">
             <title>Failover Capability</title>
             <prop name="label">CP-10(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-13">SI-13</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="cp-10.6">
+         </control>
+         <control class="SP800-53-enhancement" id="cp-10.6">
             <title>Component Protection</title>
             <prop name="label">CP-10(6)</prop>
             <part id="cp-10.6_smt" name="statement">
@@ -19461,7 +19461,7 @@
                   <p>automated mechanisms supporting and/or implementing protection of backup and restoration hardware, firmware, and software</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="cp-11">
          <title>Alternate Communications Protocols</title>
@@ -19855,7 +19855,7 @@
                <p>automated mechanisms supporting and/or implementing identification and authentication capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.1">
+         <control class="SP800-53-enhancement" id="ia-2.1">
             <title>Network Access to Privileged Accounts</title>
             <prop name="label">IA-2(1)</prop>
             <part id="ia-2.1_smt" name="statement">
@@ -19895,8 +19895,8 @@
                   <p>Automated mechanisms supporting and/or implementing multifactor authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.2">
             <title>Network Access to Non-privileged Accounts</title>
             <prop name="label">IA-2(2)</prop>
             <part id="ia-2.2_smt" name="statement">
@@ -19933,8 +19933,8 @@
                   <p>Automated mechanisms supporting and/or implementing multifactor authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.3">
             <title>Local Access to Privileged Accounts</title>
             <prop name="label">IA-2(3)</prop>
             <part id="ia-2.3_smt" name="statement">
@@ -19974,8 +19974,8 @@
                   <p>Automated mechanisms supporting and/or implementing multifactor authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.4">
             <title>Local Access to Non-privileged Accounts</title>
             <prop name="label">IA-2(4)</prop>
             <part id="ia-2.4_smt" name="statement">
@@ -20012,8 +20012,8 @@
                   <p>Automated mechanisms supporting and/or implementing multifactor authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.5">
             <title>Group Authentication</title>
             <prop name="label">IA-2(5)</prop>
             <part id="ia-2.5_smt" name="statement">
@@ -20053,8 +20053,8 @@
                   <p>Automated mechanisms supporting and/or implementing authentication capability for group accounts</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.6">
             <title>Network Access to Privileged Accounts - Separate Device</title>
             <param id="ia-2.6_prm_1">
                <label>organization-defined strength of mechanism requirements</label>
@@ -20109,8 +20109,8 @@
                   <p>Automated mechanisms supporting and/or implementing multifactor authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.7">
             <title>Network Access to Non-privileged Accounts - Separate Device</title>
             <param id="ia-2.7_prm_1">
                <label>organization-defined strength of mechanism requirements</label>
@@ -20162,8 +20162,8 @@
                   <p>Automated mechanisms supporting and/or implementing multifactor authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.8">
             <title>Network Access to Privileged Accounts - Replay Resistant</title>
             <prop name="label">IA-2(8)</prop>
             <part id="ia-2.8_smt" name="statement">
@@ -20204,8 +20204,8 @@
                   <p>automated mechanisms supporting and/or implementing replay resistant authentication mechanisms</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.9">
             <title>Network Access to Non-privileged Accounts - Replay Resistant</title>
             <prop name="label">IA-2(9)</prop>
             <part id="ia-2.9_smt" name="statement">
@@ -20246,8 +20246,8 @@
                   <p>automated mechanisms supporting and/or implementing replay resistant authentication mechanisms</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.10">
             <title>Single Sign-on</title>
             <param id="ia-2.10_prm_1">
                <label>organization-defined information system accounts and services</label>
@@ -20300,8 +20300,8 @@
                   <p>automated mechanisms supporting and/or implementing single sign-on capability for information system accounts and services</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.11">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.11">
             <title>Remote Access - Separate Device</title>
             <param id="ia-2.11_prm_1">
                <label>organization-defined strength of mechanism requirements</label>
@@ -20369,8 +20369,8 @@
                   <p>Automated mechanisms supporting and/or implementing identification and authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.12">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.12">
             <title>Acceptance of PIV Credentials</title>
             <prop name="label">IA-2(12)</prop>
             <part id="ia-2.12_smt" name="statement">
@@ -20423,8 +20423,8 @@
                   <p>Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-2.13">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-2.13">
             <title>Out-of-band Authentication</title>
             <param id="ia-2.13_prm_1">
                <label>organization-defined out-of-band authentication</label>
@@ -20485,7 +20485,7 @@
                   <p>Automated mechanisms supporting and/or implementing out-of-band authentication capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ia-3">
          <title>Device Identification and Authentication</title>
@@ -20574,7 +20574,7 @@
                <p>Automated mechanisms supporting and/or implementing device identification and authentication capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ia-3.1">
+         <control class="SP800-53-enhancement" id="ia-3.1">
             <title>Cryptographic Bidirectional Authentication</title>
             <param id="ia-3.1_prm_1">
                <label>organization-defined specific devices and/or types of devices</label>
@@ -20659,14 +20659,14 @@
                   <p>cryptographically based bidirectional authentication mechanisms</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-3.2">
             <title>Cryptographic Bidirectional Network Authentication</title>
             <prop name="label">IA-3(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ia-3.1">IA-3 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-3.3">
             <title>Dynamic Address Allocation</title>
             <param id="ia-3.3_prm_1">
                <label>organization-defined lease information and lease duration</label>
@@ -20748,8 +20748,8 @@
                   <p>automated mechanisms supporting and/or implanting auditing of lease information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-3.4">
             <title>Device Attestation</title>
             <param id="ia-3.4_prm_1">
                <label>organization-defined configuration management process</label>
@@ -20802,7 +20802,7 @@
                   <p>cryptographic mechanisms supporting device attestation</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ia-4">
          <title>Identifier Management</title>
@@ -20989,7 +20989,7 @@
                <p>Automated mechanisms supporting and/or implementing identifier management</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.1">
+         <control class="SP800-53-enhancement" id="ia-4.1">
             <title>Prohibit Account Identifiers as Public Identifiers</title>
             <prop name="label">IA-4(1)</prop>
             <part id="ia-4.1_smt" name="statement">
@@ -21028,8 +21028,8 @@
                   <p>Automated mechanisms supporting and/or implementing identifier management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-4.2">
             <title>Supervisor Authorization</title>
             <prop name="label">IA-4(2)</prop>
             <part id="ia-4.2_smt" name="statement">
@@ -21065,8 +21065,8 @@
                   <p>Automated mechanisms supporting and/or implementing identifier management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-4.3">
             <title>Multiple Forms of Certification</title>
             <prop name="label">IA-4(3)</prop>
             <part id="ia-4.3_smt" name="statement">
@@ -21103,8 +21103,8 @@
                   <p>Automated mechanisms supporting and/or implementing identifier management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-4.4">
             <title>Identify User Status</title>
             <param id="ia-4.4_prm_1">
                <label>organization-defined characteristic identifying individual status</label>
@@ -21152,8 +21152,8 @@
                   <p>Automated mechanisms supporting and/or implementing identifier management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-4.5">
             <title>Dynamic Management</title>
             <prop name="label">IA-4(5)</prop>
             <part id="ia-4.5_smt" name="statement">
@@ -21193,8 +21193,8 @@
                   <p>Automated mechanisms supporting and/or implementing dynamic identifier management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-4.6">
             <title>Cross-organization Management</title>
             <param id="ia-4.6_prm_1">
                <label>organization-defined external organizations</label>
@@ -21240,8 +21240,8 @@
                   <p>Automated mechanisms supporting and/or implementing identifier management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-4.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-4.7">
             <title>In-person Registration</title>
             <prop name="label">IA-4(7)</prop>
             <part id="ia-4.7_smt" name="statement">
@@ -21272,7 +21272,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ia-5">
          <title>Authenticator Management</title>
@@ -21479,7 +21479,7 @@
                <p>Automated mechanisms supporting and/or implementing authenticator management capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.1">
+         <control class="SP800-53-enhancement" id="ia-5.1">
             <title>Password-based Authentication</title>
             <param id="ia-5.1_prm_1">
                <label>organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type</label>
@@ -21634,8 +21634,8 @@
                   <p>Automated mechanisms supporting and/or implementing password-based authenticator management capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.2">
             <title>Pki-based Authentication</title>
             <prop name="label">IA-5(2)</prop>
             <part id="ia-5.2_smt" name="statement">
@@ -21723,8 +21723,8 @@
                   <p>Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.3">
             <title>In-person or Trusted Third-party Registration</title>
             <param id="ia-5.3_prm_1">
                <label>organization-defined types of and/or specific authenticators</label>
@@ -21796,8 +21796,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.4">
             <title>Automated Support for Password Strength Determination</title>
             <param id="ia-5.4_prm_1">
                <label>organization-defined requirements</label>
@@ -21850,8 +21850,8 @@
                   <p>automated tools for determining password strength</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.5">
             <title>Change Authenticators Prior to Delivery</title>
             <prop name="label">IA-5(5)</prop>
             <part id="ia-5.5_smt" name="statement">
@@ -21897,8 +21897,8 @@
                   <p>Automated mechanisms supporting and/or implementing authenticator management capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.6">
             <title>Protection of Authenticators</title>
             <prop name="label">IA-5(6)</prop>
             <part id="ia-5.6_smt" name="statement">
@@ -21938,8 +21938,8 @@
                   <p>automated mechanisms protecting authenticators</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.7">
             <title>No Embedded Unencrypted Static Authenticators</title>
             <prop name="label">IA-5(7)</prop>
             <part id="ia-5.7_smt" name="statement">
@@ -21991,8 +21991,8 @@
                   <p>automated mechanisms implementing authentication in applications</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.8">
             <title>Multiple Information System Accounts</title>
             <param id="ia-5.8_prm_1">
                <label>organization-defined security safeguards</label>
@@ -22040,8 +22040,8 @@
                   <p>Automated mechanisms supporting and/or implementing safeguards for authenticator management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.9">
             <title>Cross-organization Credential Management</title>
             <param id="ia-5.9_prm_1">
                <label>organization-defined external organizations</label>
@@ -22089,8 +22089,8 @@
                   <p>Automated mechanisms supporting and/or implementing safeguards for authenticator management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.10">
             <title>Dynamic Credential Association</title>
             <prop name="label">IA-5(10)</prop>
             <part id="ia-5.10_smt" name="statement">
@@ -22130,8 +22130,8 @@
                   <p>automated mechanisms implementing dynamic provisioning of identifiers</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.11">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.11">
             <title>Hardware Token-based Authentication</title>
             <param id="ia-5.11_prm_1">
                <label>organization-defined token quality requirements</label>
@@ -22183,8 +22183,8 @@
                   <p>Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.12">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.12">
             <title>Biometric-based Authentication</title>
             <param id="ia-5.12_prm_1">
                <label>organization-defined biometric quality requirements</label>
@@ -22236,8 +22236,8 @@
                   <p>Automated mechanisms supporting and/or implementing biometric-based authenticator management capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.13">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.13">
             <title>Expiration of Cached Authenticators</title>
             <param id="ia-5.13_prm_1">
                <label>organization-defined time period</label>
@@ -22284,8 +22284,8 @@
                   <p>Automated mechanisms supporting and/or implementing authenticator management capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.14">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.14">
             <title>Managing Content of PKI Trust Stores</title>
             <prop name="label">IA-5(14)</prop>
             <part id="ia-5.14_smt" name="statement">
@@ -22340,8 +22340,8 @@
                   <p>automated mechanisms supporting and/or implementing the PKI trust store capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-5.15">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-5.15">
             <title>Ficam-approved Products and Services</title>
             <prop name="label">IA-5(15)</prop>
             <part id="ia-5.15_smt" name="statement">
@@ -22381,7 +22381,7 @@
                   <p>automated mechanisms supporting and/or implementing identification and authentication management capability for the information system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ia-6">
          <title>Authenticator Feedback</title>
@@ -22524,7 +22524,7 @@
                <p>Automated mechanisms supporting and/or implementing identification and authentication capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ia-8.1">
+         <control class="SP800-53-enhancement" id="ia-8.1">
             <title>Acceptance of PIV Credentials from Other Agencies</title>
             <prop name="label">IA-8(1)</prop>
             <part id="ia-8.1_smt" name="statement">
@@ -22578,8 +22578,8 @@
                   <p>automated mechanisms that accept and verify PIV credentials</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-8.2">
             <title>Acceptance of Third-party Credentials</title>
             <prop name="label">IA-8(2)</prop>
             <part id="ia-8.2_smt" name="statement">
@@ -22624,8 +22624,8 @@
                   <p>automated mechanisms that accept FICAM-approved credentials</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-8.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-8.3">
             <title>Use of Ficam-approved Products</title>
             <param id="ia-8.3_prm_1">
                <label>organization-defined information systems</label>
@@ -22683,8 +22683,8 @@
                   <p>Automated mechanisms supporting and/or implementing identification and authentication capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-8.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-8.4">
             <title>Use of Ficam-issued Profiles</title>
             <prop name="label">IA-8(4)</prop>
             <part id="ia-8.4_smt" name="statement">
@@ -22730,8 +22730,8 @@
                   <p>automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-8.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-8.5">
             <title>Acceptance of PIV-I Credentials</title>
             <prop name="label">IA-8(5)</prop>
             <part id="ia-8.5_smt" name="statement">
@@ -22783,7 +22783,7 @@
                   <p>automated mechanisms that accept and verify PIV-I credentials</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ia-9">
          <title>Service Identification and Authentication</title>
@@ -22844,7 +22844,7 @@
                <p>Security safeguards implementing service identification and authentication capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ia-9.1">
+         <control class="SP800-53-enhancement" id="ia-9.1">
             <title>Information Exchange</title>
             <prop name="label">IA-9(1)</prop>
             <part id="ia-9.1_smt" name="statement">
@@ -22892,8 +22892,8 @@
                   <p>Automated mechanisms implementing service identification and authentication capabilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ia-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ia-9.2">
             <title>Transmission of Decisions</title>
             <param id="ia-9.2_prm_1">
                <label>organization-defined services</label>
@@ -22946,7 +22946,7 @@
                   <p>Automated mechanisms implementing service identification and authentication capabilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ia-10">
          <title>Adaptive Identification and Authentication</title>
@@ -23304,7 +23304,7 @@
                <p>organizational personnel with information security responsibilities</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-2.1">
+         <control class="SP800-53-enhancement" id="ir-2.1">
             <title>Simulated Events</title>
             <prop name="label">IR-2(1)</prop>
             <part id="ir-2.1_smt" name="statement">
@@ -23338,8 +23338,8 @@
                   <p>Automated mechanisms that support and/or implement simulated events for incident response training</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-2.2">
             <title>Automated Training Environments</title>
             <prop name="label">IR-2(2)</prop>
             <part id="ir-2.2_smt" name="statement">
@@ -23374,7 +23374,7 @@
                   <p>Automated mechanisms that provide a thorough and realistic incident response training environment</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-3">
          <title>Incident Response Testing</title>
@@ -23433,7 +23433,7 @@
                <p>organizational personnel with information security responsibilities</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-3.1">
+         <control class="SP800-53-enhancement" id="ir-3.1">
             <title>Automated Testing</title>
             <prop name="label">IR-3(1)</prop>
             <part id="ir-3.1_smt" name="statement">
@@ -23476,8 +23476,8 @@
                   <p>Automated mechanisms that more thoroughly and effectively test the incident response capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-3.2">
             <title>Coordination with Related Plans</title>
             <prop name="label">IR-3(2)</prop>
             <part id="ir-3.2_smt" name="statement">
@@ -23516,7 +23516,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-4">
          <title>Incident Handling</title>
@@ -23646,7 +23646,7 @@
                <p>Incident handling capability for the organization</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.1">
+         <control class="SP800-53-enhancement" id="ir-4.1">
             <title>Automated Incident Handling Processes</title>
             <prop name="label">IR-4(1)</prop>
             <part id="ir-4.1_smt" name="statement">
@@ -23685,8 +23685,8 @@
                   <p>Automated mechanisms that support and/or implement the incident handling process</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.2">
             <title>Dynamic Reconfiguration</title>
             <param id="ir-4.2_prm_1">
                <label>organization-defined information system components</label>
@@ -23743,8 +23743,8 @@
                   <p>Automated mechanisms that support and/or implement dynamic reconfiguration of components as part of incident response</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.3">
             <title>Continuity of Operations</title>
             <param id="ir-4.3_prm_1">
                <label>organization-defined classes of incidents</label>
@@ -23799,8 +23799,8 @@
                   <p>Automated mechanisms that support and/or implement continuity of operations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.4">
             <title>Information Correlation</title>
             <prop name="label">IR-4(4)</prop>
             <part id="ir-4.4_smt" name="statement">
@@ -23847,8 +23847,8 @@
                   <p>automated mechanisms that support and or implement correlation of incident response information with individual incident responses</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.5">
             <title>Automatic Disabling of Information System</title>
             <param id="ir-4.5_prm_1">
                <label>organization-defined security violations</label>
@@ -23896,8 +23896,8 @@
                   <p>automated mechanisms supporting and/or implementing automatic disabling of the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.6">
             <title>Insider Threats - Specific Capabilities</title>
             <prop name="label">IR-4(6)</prop>
             <part id="ir-4.6_smt" name="statement">
@@ -23936,8 +23936,8 @@
                   <p>Incident handling capability for the organization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.7">
             <title>Insider Threats - Intra-organization Coordination</title>
             <param id="ir-4.7_prm_1">
                <label>organization-defined components or elements of the organization</label>
@@ -23984,8 +23984,8 @@
                   <p>Organizational processes for coordinating incident handling</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.8">
             <title>Correlation with External Organizations</title>
             <param id="ir-4.8_prm_1">
                <label>organization-defined external organizations</label>
@@ -24041,8 +24041,8 @@
                   <p>Organizational processes for coordinating incident handling information with external organizations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.9">
             <title>Dynamic Response Capability</title>
             <param id="ir-4.9_prm_1">
                <label>organization-defined dynamic response capabilities</label>
@@ -24094,8 +24094,8 @@
                   <p>automated mechanisms supporting and/or implementing the dynamic response capability for the organization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-4.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-4.10">
             <title>Supply Chain Coordination</title>
             <prop name="label">IR-4(10)</prop>
             <part id="ir-4.10_smt" name="statement">
@@ -24128,7 +24128,7 @@
                   <p>organizational personnel with supply chain responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-5">
          <title>Incident Monitoring</title>
@@ -24184,7 +24184,7 @@
                <p>automated mechanisms supporting and/or implementing tracking and documenting of system security incidents</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-5.1">
+         <control class="SP800-53-enhancement" id="ir-5.1">
             <title>Automated Tracking / Data Collection / Analysis</title>
             <prop name="label">IR-5(1)</prop>
             <part id="ir-5.1_smt" name="statement">
@@ -24237,7 +24237,7 @@
                   <p>Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-6">
          <title>Incident Reporting</title>
@@ -24319,7 +24319,7 @@
                <p>automated mechanisms supporting and/or implementing incident reporting</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-6.1">
+         <control class="SP800-53-enhancement" id="ir-6.1">
             <title>Automated Reporting</title>
             <prop name="label">IR-6(1)</prop>
             <part id="ir-6.1_smt" name="statement">
@@ -24358,8 +24358,8 @@
                   <p>automated mechanisms supporting and/or implementing reporting of security incidents</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-6.2">
             <title>Vulnerabilities Related to Incidents</title>
             <param id="ir-6.2_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -24406,8 +24406,8 @@
                   <p>automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-6.3">
             <title>Coordination with Supply Chain</title>
             <prop name="label">IR-6(3)</prop>
             <part id="ir-6.3_smt" name="statement">
@@ -24447,7 +24447,7 @@
                   <p>automated mechanisms supporting and/or implementing reporting of incident information involved in the supply chain</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-7">
          <title>Incident Response Assistance</title>
@@ -24499,7 +24499,7 @@
                <p>automated mechanisms supporting and/or implementing incident response assistance</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-7.1">
+         <control class="SP800-53-enhancement" id="ir-7.1">
             <title>Automation Support for Availability of Information / Support</title>
             <prop name="label">IR-7(1)</prop>
             <part id="ir-7.1_smt" name="statement">
@@ -24539,8 +24539,8 @@
                   <p>automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-7.2">
             <title>Coordination with External Providers</title>
             <prop name="label">IR-7(2)</prop>
             <part id="ir-7.2_smt" name="statement">
@@ -24588,7 +24588,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-8">
          <title>Incident Response Plan</title>
@@ -24933,7 +24933,7 @@
                <p>automated mechanisms supporting and/or implementing information spillage response actions and related communications</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ir-9.1">
+         <control class="SP800-53-enhancement" id="ir-9.1">
             <title>Responsible Personnel</title>
             <param id="ir-9.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -24970,8 +24970,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-9.2">
             <title>Training</title>
             <param id="ir-9.2_prm_1">
                <label>organization-defined frequency</label>
@@ -25010,8 +25010,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-9.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-9.3">
             <title>Post-spill Operations</title>
             <param id="ir-9.3_prm_1">
                <label>organization-defined procedures</label>
@@ -25057,8 +25057,8 @@
                   <p>Organizational processes for post-spill operations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ir-9.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ir-9.4">
             <title>Exposure to Unauthorized Personnel</title>
             <param id="ir-9.4_prm_1">
                <label>organization-defined security safeguards</label>
@@ -25106,7 +25106,7 @@
                   <p>automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ir-10">
          <title>Integrated Information Security Analysis Team</title>
@@ -25461,13 +25461,13 @@
                <p>automated mechanisms implementing sanitization of information system components</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ma-2.1">
+         <control class="SP800-53-enhancement" id="ma-2.1">
             <title>Record Content</title>
             <prop name="label">MA-2(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ma-2">MA-2</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-2.2">
             <title>Automated Maintenance Activities</title>
             <prop name="label">MA-2(2)</prop>
             <part id="ma-2.2_smt" name="statement">
@@ -25552,7 +25552,7 @@
                   <p>automated mechanisms supporting and/or implementing production of records of maintenance and repair actions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ma-3">
          <title>Maintenance Tools</title>
@@ -25606,7 +25606,7 @@
                <p>automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ma-3.1">
+         <control class="SP800-53-enhancement" id="ma-3.1">
             <title>Inspect Tools</title>
             <prop name="label">MA-3(1)</prop>
             <part id="ma-3.1_smt" name="statement">
@@ -25644,8 +25644,8 @@
                   <p>automated mechanisms supporting and/or implementing inspection of maintenance tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-3.2">
             <title>Inspect Media</title>
             <prop name="label">MA-3(2)</prop>
             <part id="ma-3.2_smt" name="statement">
@@ -25682,8 +25682,8 @@
                   <p>automated mechanisms supporting and/or implementing inspection of media used for maintenance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-3.3">
             <title>Prevent Unauthorized Removal</title>
             <param id="ma-3.3_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -25770,8 +25770,8 @@
                   <p>automated mechanisms supporting verification of media sanitization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-3.4">
             <title>Restricted Tool Use</title>
             <prop name="label">MA-3(4)</prop>
             <part id="ma-3.4_smt" name="statement">
@@ -25813,7 +25813,7 @@
                   <p>automated mechanisms supporting and/or implementing restricted use of maintenance tools</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ma-4">
          <title>Nonlocal Maintenance</title>
@@ -25942,7 +25942,7 @@
                <p>automated mechanisms for terminating nonlocal maintenance sessions and network connections</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.1">
+         <control class="SP800-53-enhancement" id="ma-4.1">
             <title>Auditing and Review</title>
             <param id="ma-4.1_prm_1">
                <label>organization-defined audit events</label>
@@ -26014,8 +26014,8 @@
                   <p>automated mechanisms supporting and/or implementing audit and review of nonlocal maintenance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-4.2">
             <title>Document Nonlocal Maintenance</title>
             <prop name="label">MA-4(2)</prop>
             <part id="ma-4.2_smt" name="statement">
@@ -26051,8 +26051,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-4.3">
             <title>Comparable Security / Sanitization</title>
             <prop name="label">MA-4(3)</prop>
             <part id="ma-4.3_smt" name="statement">
@@ -26129,8 +26129,8 @@
                   <p>automated mechanisms supporting and/or implementing component sanitization and inspection</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-4.4">
             <title>Authentication / Separation of Maintenance Sessions</title>
             <param id="ma-4.4_prm_1">
                <label>organization-defined authenticators that are replay resistant</label>
@@ -26217,8 +26217,8 @@
                   <p>automated mechanisms implementing logically separated/encrypted communications paths</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-4.5">
             <title>Approvals and Notifications</title>
             <param id="ma-4.5_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -26296,8 +26296,8 @@
                   <p>automated mechanisms supporting notification and approval of nonlocal maintenance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-4.6">
             <title>Cryptographic Protection</title>
             <prop name="label">MA-4(6)</prop>
             <part id="ma-4.6_smt" name="statement">
@@ -26339,8 +26339,8 @@
                   <p>Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-4.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-4.7">
             <title>Remote Disconnect Verification</title>
             <prop name="label">MA-4(7)</prop>
             <part id="ma-4.7_smt" name="statement">
@@ -26382,7 +26382,7 @@
                   <p>Automated mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ma-5">
          <title>Maintenance Personnel</title>
@@ -26461,7 +26461,7 @@
                <p>automated mechanisms supporting and/or implementing authorization of maintenance personnel</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ma-5.1">
+         <control class="SP800-53-enhancement" id="ma-5.1">
             <title>Individuals Without Appropriate Access</title>
             <prop name="label">MA-5(1)</prop>
             <part id="ma-5.1_smt" name="statement">
@@ -26568,8 +26568,8 @@
                   <p>automated mechanisms supporting and/or implementing information storage component sanitization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-5.2">
             <title>Security Clearances for Classified Systems</title>
             <prop name="label">MA-5(2)</prop>
             <part id="ma-5.2_smt" name="statement">
@@ -26625,8 +26625,8 @@
                   <p>Organizational processes for managing security clearances for maintenance personnel</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-5.3">
             <title>Citizenship Requirements for Classified Systems</title>
             <prop name="label">MA-5(3)</prop>
             <part id="ma-5.3_smt" name="statement">
@@ -26659,8 +26659,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-5.4">
             <title>Foreign Nationals</title>
             <prop name="label">MA-5(4)</prop>
             <part id="ma-5.4_smt" name="statement">
@@ -26728,8 +26728,8 @@
                   <p>Organizational processes for managing foreign national maintenance personnel</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-5.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-5.5">
             <title>Nonsystem-related Maintenance</title>
             <prop name="label">MA-5(5)</prop>
             <part id="ma-5.5_smt" name="statement">
@@ -26764,7 +26764,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ma-6">
          <title>Timely Maintenance</title>
@@ -26835,7 +26835,7 @@
                <p>Organizational processes for ensuring timely maintenance</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ma-6.1">
+         <control class="SP800-53-enhancement" id="ma-6.1">
             <title>Preventive Maintenance</title>
             <param id="ma-6.1_prm_1">
                <label>organization-defined information system components</label>
@@ -26893,8 +26893,8 @@
                   <p>automated mechanisms supporting and/or implementing preventive maintenance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-6.2">
             <title>Predictive Maintenance</title>
             <param id="ma-6.2_prm_1">
                <label>organization-defined information system components</label>
@@ -26952,8 +26952,8 @@
                   <p>automated mechanisms supporting and/or implementing predictive maintenance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ma-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ma-6.3">
             <title>Automated Support for Predictive Maintenance</title>
             <prop name="label">MA-6(3)</prop>
             <part id="ma-6.3_smt" name="statement">
@@ -26993,7 +26993,7 @@
                   <p>operations of the computer maintenance management system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
    </group>
    <group class="family" id="mp">
@@ -27212,18 +27212,18 @@
                <p>automated mechanisms supporting and/or implementing media access restrictions</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="mp-2.1">
+         <control class="SP800-53-enhancement" id="mp-2.1">
             <title>Automated Restricted Access</title>
             <prop name="label">MP-2(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-4.2">MP-4 (2)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-2.2">
             <title>Cryptographic Protection</title>
             <prop name="label">MP-2(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-28.1">SC-28 (1)</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="mp-3">
          <title>Media Marking</title>
@@ -27398,13 +27398,13 @@
                <p>automated mechanisms supporting and/or implementing secure media storage/media protection</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="mp-4.1">
+         <control class="SP800-53-enhancement" id="mp-4.1">
             <title>Cryptographic Protection</title>
             <prop name="label">MP-4(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-28.1">SC-28 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-4.2">
             <title>Automated Restricted Access</title>
             <prop name="label">MP-4(2)</prop>
             <part id="mp-4.2_smt" name="statement">
@@ -27463,7 +27463,7 @@
                   <p>automated mechanisms auditing access attempts and access granted to media storage areas</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="mp-5">
          <title>Media Transport</title>
@@ -27564,19 +27564,19 @@
                <p>automated mechanisms supporting and/or implementing media storage/media protection</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="mp-5.1">
+         <control class="SP800-53-enhancement" id="mp-5.1">
             <title>Protection Outside of Controlled Areas</title>
             <prop name="label">MP-5(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-5">MP-5</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-5.2">
             <title>Documentation of Activities</title>
             <prop name="label">MP-5(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-5">MP-5</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-5.3">
             <title>Custodians</title>
             <prop name="label">MP-5(3)</prop>
             <part id="mp-5.3_smt" name="statement">
@@ -27606,8 +27606,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-5.4">
             <title>Cryptographic Protection</title>
             <prop name="label">MP-5(4)</prop>
             <part id="mp-5.4_smt" name="statement">
@@ -27645,7 +27645,7 @@
                   <p>Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="mp-6">
          <title>Media Sanitization</title>
@@ -27752,7 +27752,7 @@
                <p>automated mechanisms supporting and/or implementing media sanitization</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.1">
+         <control class="SP800-53-enhancement" id="mp-6.1">
             <title>Review / Approve / Track / Document / Verify</title>
             <prop name="label">MP-6(1)</prop>
             <part id="mp-6.1_smt" name="statement">
@@ -27814,8 +27814,8 @@
                   <p>automated mechanisms supporting and/or implementing media sanitization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.2">
             <title>Equipment Testing</title>
             <param id="mp-6.2_prm_1">
                <label>organization-defined frequency</label>
@@ -27863,8 +27863,8 @@
                   <p>automated mechanisms supporting and/or implementing media sanitization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.3">
             <title>Nondestructive Techniques</title>
             <param id="mp-6.3_prm_1">
                <label>organization-defined circumstances requiring sanitization of portable storage devices</label>
@@ -27913,26 +27913,26 @@
                   <p>automated mechanisms supporting and/or implementing media sanitization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.4">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.4">
             <title>Controlled Unclassified Information</title>
             <prop name="label">MP-6(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.5">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.5">
             <title>Classified Information</title>
             <prop name="label">MP-6(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.6">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.6">
             <title>Media Destruction</title>
             <prop name="label">MP-6(6)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.7">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.7">
             <title>Dual Authorization</title>
             <param id="mp-6.7_prm_1">
                <label>organization-defined information system media</label>
@@ -27985,8 +27985,8 @@
                   <p>automated mechanisms supporting and/or implementing dual authorization</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-6.8">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-6.8">
             <title>Remote Purging / Wiping of Information</title>
             <param id="mp-6.8_prm_1">
                <label>organization-defined information systems, system components, or devices</label>
@@ -28051,7 +28051,7 @@
                   <p>automated mechanisms supporting and/or implementing purge/wipe capabilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="mp-7">
          <title>Media Use</title>
@@ -28145,7 +28145,7 @@
                <p>automated mechanisms restricting or prohibiting use of information system media on information systems or system components</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="mp-7.1">
+         <control class="SP800-53-enhancement" id="mp-7.1">
             <title>Prohibit Use Without Owner</title>
             <prop name="label">MP-7(1)</prop>
             <part id="mp-7.1_smt" name="statement">
@@ -28187,8 +28187,8 @@
                   <p>automated mechanisms prohibiting use of media on information systems or system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-7.2">
             <title>Prohibit Use of Sanitization-resistant Media</title>
             <prop name="label">MP-7(2)</prop>
             <part id="mp-7.2_smt" name="statement">
@@ -28226,7 +28226,7 @@
                   <p>automated mechanisms prohibiting use of media on information systems or system components</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="mp-8">
          <title>Media Downgrading</title>
@@ -28327,7 +28327,7 @@
                <p>automated mechanisms supporting and/or implementing media downgrading</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="mp-8.1">
+         <control class="SP800-53-enhancement" id="mp-8.1">
             <title>Documentation of Process</title>
             <prop name="label">MP-8(1)</prop>
             <part id="mp-8.1_smt" name="statement">
@@ -28364,8 +28364,8 @@
                   <p>automated mechanisms supporting and/or implementing media downgrading</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-8.2">
             <title>Equipment Testing</title>
             <param id="mp-8.2_prm_1">
                <label>organization-defined tests</label>
@@ -28424,8 +28424,8 @@
                   <p>automated mechanisms supporting and/or implementing tests for downgrading equipment</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-8.3">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-8.3">
             <title>Controlled Unclassified Information</title>
             <param id="mp-8.3_prm_1">
                <label>organization-defined Controlled Unclassified Information (CUI)</label>
@@ -28470,8 +28470,8 @@
                   <p>automated mechanisms supporting and/or implementing media downgrading</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="mp-8.4">
+         </control>
+         <control class="SP800-53-enhancement" id="mp-8.4">
             <title>Classified Information</title>
             <prop name="label">MP-8(4)</prop>
             <part id="mp-8.4_smt" name="statement">
@@ -28509,7 +28509,7 @@
                   <p>automated mechanisms supporting and/or implementing media downgrading</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
    </group>
    <group class="family" id="pe">
@@ -28759,7 +28759,7 @@
                <p>automated mechanisms supporting and/or implementing physical access authorizations</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-2.1">
+         <control class="SP800-53-enhancement" id="pe-2.1">
             <title>Access by Position / Role</title>
             <prop name="label">PE-2(1)</prop>
             <part id="pe-2.1_smt" name="statement">
@@ -28799,8 +28799,8 @@
                   <p>automated mechanisms supporting and/or implementing physical access authorizations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-2.2">
             <title>Two Forms of Identification</title>
             <param id="pe-2.2_prm_1">
                <label>organization-defined list of acceptable forms of identification</label>
@@ -28853,8 +28853,8 @@
                   <p>automated mechanisms supporting and/or implementing physical access authorizations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-2.3">
             <title>Restrict Unescorted Access</title>
             <param id="pe-2.3_prm_1">
                <select how-many="one or more">
@@ -28931,7 +28931,7 @@
                   <p>automated mechanisms supporting and/or implementing physical access authorizations</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-3">
          <title>Physical Access Control</title>
@@ -29198,7 +29198,7 @@
                <p>physical access control devices</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-3.1">
+         <control class="SP800-53-enhancement" id="pe-3.1">
             <title>Information System Access</title>
             <param id="pe-3.1_prm_1">
                <label>organization-defined physical spaces containing one or more components of the information system</label>
@@ -29250,8 +29250,8 @@
                   <p>automated mechanisms supporting and/or implementing physical access control for facility areas containing information system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-3.2">
             <title>Facility / Information System Boundaries</title>
             <param id="pe-3.2_prm_1">
                <label>organization-defined frequency</label>
@@ -29321,8 +29321,8 @@
                   <p>automated mechanisms supporting and/or implementing security checks for unauthorized exfiltration of information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-3.3">
             <title>Continuous Guards / Alarms / Monitoring</title>
             <prop name="label">PE-3(3)</prop>
             <part id="pe-3.3_smt" name="statement">
@@ -29370,8 +29370,8 @@
                   <p>automated mechanisms supporting and/or implementing physical access control for the facility where the information system resides</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-3.4">
             <title>Lockable Casings</title>
             <param id="pe-3.4_prm_1">
                <label>organization-defined information system components</label>
@@ -29415,8 +29415,8 @@
                   <p>Lockable physical casings</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-3.5">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-3.5">
             <title>Tamper Protection</title>
             <param id="pe-3.5_prm_1">
                <label>organization-defined security safeguards</label>
@@ -29484,8 +29484,8 @@
                   <p>automated mechanisms/security safeguards supporting and/or implementing detection/prevention of physical tampering/alternation of information system hardware components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-3.6">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-3.6">
             <title>Facility Penetration Testing</title>
             <param id="pe-3.6_prm_1">
                <label>organization-defined frequency</label>
@@ -29535,7 +29535,7 @@
                   <p>automated mechanisms supporting and/or implementing facility penetration testing</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-4">
          <title>Access Control for Transmission Medium</title>
@@ -29641,7 +29641,7 @@
                <p>automated mechanisms supporting and/or implementing access control to output devices</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-5.1">
+         <control class="SP800-53-enhancement" id="pe-5.1">
             <title>Access to Output by Authorized Individuals</title>
             <param id="pe-5.1_prm_1">
                <label>organization-defined output devices</label>
@@ -29705,8 +29705,8 @@
                   <p>automated mechanisms supporting and/or implementing access control to output devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-5.2">
             <title>Access to Output by Individual Identity</title>
             <param id="pe-5.2_prm_1">
                <label>organization-defined output devices</label>
@@ -29775,8 +29775,8 @@
                   <p>automated mechanisms supporting and/or implementing access control to output devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-5.3">
             <title>Marking Output Devices</title>
             <param id="pe-5.3_prm_1">
                <label>organization-defined information system output devices</label>
@@ -29821,7 +29821,7 @@
                   <p>Organizational processes for marking output devices</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-6">
          <title>Monitoring Physical Access</title>
@@ -29907,7 +29907,7 @@
                <p>automated mechanisms supporting and/or implementing reviewing of physical access logs</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-6.1">
+         <control class="SP800-53-enhancement" id="pe-6.1">
             <title>Intrusion Alarms / Surveillance Equipment</title>
             <prop name="label">PE-6(1)</prop>
             <part id="pe-6.1_smt" name="statement">
@@ -29944,8 +29944,8 @@
                   <p>automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-6.2">
             <title>Automated Intrusion Recognition / Responses</title>
             <param id="pe-6.2_prm_1">
                <label>organization-defined classes/types of intrusions</label>
@@ -30002,8 +30002,8 @@
                   <p>automated mechanisms supporting and/or implementing recognition of classes/types of intrusions and initiation of a response</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-6.3">
             <title>Video Surveillance</title>
             <param id="pe-6.3_prm_1">
                <label>organization-defined operational areas</label>
@@ -30066,8 +30066,8 @@
                   <p>automated mechanisms supporting and/or implementing video surveillance</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-6.4">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-6.4">
             <title>Monitoring Physical Access to Information Systems</title>
             <param id="pe-6.4_prm_1">
                <label>organization-defined physical spaces containing one or more components of the information system</label>
@@ -30119,7 +30119,7 @@
                   <p>automated mechanisms supporting and/or implementing physical access monitoring for facility areas containing information system components</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-7">
          <title>Visitor Control</title>
@@ -30201,7 +30201,7 @@
                <p>automated mechanisms supporting and/or implementing maintenance and review of visitor access records</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-8.1">
+         <control class="SP800-53-enhancement" id="pe-8.1">
             <title>Automated Records Maintenance / Review</title>
             <prop name="label">PE-8(1)</prop>
             <part id="pe-8.1_smt" name="statement">
@@ -30234,13 +30234,13 @@
                   <p>automated mechanisms supporting and/or implementing maintenance and review of visitor access records</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-8.2">
             <title>Physical Access Records</title>
             <prop name="label">PE-8(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#pe-2">PE-2</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-9">
          <title>Power Equipment and Cabling</title>
@@ -30277,7 +30277,7 @@
                <p>Automated mechanisms supporting and/or implementing protection of power equipment/cabling</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-9.1">
+         <control class="SP800-53-enhancement" id="pe-9.1">
             <title>Redundant Cabling</title>
             <param id="pe-9.1_prm_1">
                <label>organization-defined distance</label>
@@ -30322,8 +30322,8 @@
                   <p>Automated mechanisms supporting and/or implementing protection of power equipment/cabling</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-9.2">
             <title>Automatic Voltage Controls</title>
             <param id="pe-9.2_prm_1">
                <label>organization-defined critical information system components</label>
@@ -30367,7 +30367,7 @@
                   <p>Automated mechanisms supporting and/or implementing automatic voltage controls</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-10">
          <title>Emergency Shutoff</title>
@@ -30441,12 +30441,12 @@
                <p>Automated mechanisms supporting and/or implementing emergency power shutoff</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-10.1">
+         <control class="SP800-53-enhancement" id="pe-10.1">
             <title>Accidental / Unauthorized Activation</title>
             <prop name="label">PE-10(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#pe-10">PE-10</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-11">
          <title>Emergency Power</title>
@@ -30501,7 +30501,7 @@
                <p>the uninterruptable power supply</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-11.1">
+         <control class="SP800-53-enhancement" id="pe-11.1">
             <title>Long-term Alternate Power Supply - Minimal Operational Capability</title>
             <prop name="label">PE-11(1)</prop>
             <part id="pe-11.1_smt" name="statement">
@@ -30538,8 +30538,8 @@
                   <p>the alternate power supply</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-11.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-11.2">
             <title>Long-term Alternate Power Supply - Self-contained</title>
             <param id="pe-11.2_prm_1">
                <select>
@@ -30617,7 +30617,7 @@
                   <p>the alternate power supply</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-12">
          <title>Emergency Lighting</title>
@@ -30665,7 +30665,7 @@
                <p>Automated mechanisms supporting and/or implementing emergency lighting capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-12.1">
+         <control class="SP800-53-enhancement" id="pe-12.1">
             <title>Essential Missions / Business Functions</title>
             <prop name="label">PE-12(1)</prop>
             <part id="pe-12.1_smt" name="statement">
@@ -30699,7 +30699,7 @@
                   <p>Automated mechanisms supporting and/or implementing emergency lighting capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-13">
          <title>Fire Protection</title>
@@ -30745,7 +30745,7 @@
                <p>Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-13.1">
+         <control class="SP800-53-enhancement" id="pe-13.1">
             <title>Detection Devices / Systems</title>
             <param id="pe-13.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -30816,8 +30816,8 @@
                   <p>automated notifications</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-13.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-13.2">
             <title>Suppression Devices / Systems</title>
             <param id="pe-13.2_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -30883,8 +30883,8 @@
                   <p>automated notifications</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-13.3">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-13.3">
             <title>Automatic Fire Suppression</title>
             <prop name="label">PE-13(3)</prop>
             <part id="pe-13.3_smt" name="statement">
@@ -30920,8 +30920,8 @@
                   <p>activation of fire suppression devices/systems (simulated)</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-13.4">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-13.4">
             <title>Inspections</title>
             <param id="pe-13.4_prm_1">
                <label>organization-defined frequency</label>
@@ -30973,7 +30973,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-14">
          <title>Temperature and Humidity Controls</title>
@@ -31066,7 +31066,7 @@
                <p>Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-14.1">
+         <control class="SP800-53-enhancement" id="pe-14.1">
             <title>Automatic Controls</title>
             <prop name="label">PE-14(1)</prop>
             <part id="pe-14.1_smt" name="statement">
@@ -31108,8 +31108,8 @@
                   <p>Automated mechanisms supporting and/or implementing temperature and humidity levels</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pe-14.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pe-14.2">
             <title>Monitoring with Alarms / Notifications</title>
             <prop name="label">PE-14(2)</prop>
             <part id="pe-14.2_smt" name="statement">
@@ -31158,7 +31158,7 @@
                   <p>Automated mechanisms supporting and/or implementing temperature and humidity monitoring</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-15">
          <title>Water Damage Protection</title>
@@ -31211,7 +31211,7 @@
                <p>organizational process for activating master water-shutoff</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-15.1">
+         <control class="SP800-53-enhancement" id="pe-15.1">
             <title>Automation Support</title>
             <param id="pe-15.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -31263,7 +31263,7 @@
                   <p>Automated mechanisms supporting and/or implementing water detection capability and alerts for the information system</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-16">
          <title>Delivery and Removal</title>
@@ -31484,7 +31484,7 @@
                <p>Organizational processes for positioning information system components</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-18.1">
+         <control class="SP800-53-enhancement" id="pe-18.1">
             <title>Facility Site</title>
             <prop name="label">PE-18(1)</prop>
             <part id="pe-18.1_smt" name="statement">
@@ -31536,7 +31536,7 @@
                   <p>Organizational processes for site planning</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-19">
          <title>Information Leakage</title>
@@ -31575,7 +31575,7 @@
                <p>Automated mechanisms supporting and/or implementing protection from information leakage due to electromagnetic signals emanations</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pe-19.1">
+         <control class="SP800-53-enhancement" id="pe-19.1">
             <title>National Emissions / Tempest Policies and Procedures</title>
             <prop name="label">PE-19(1)</prop>
             <part id="pe-19.1_smt" name="statement">
@@ -31618,7 +31618,7 @@
                   <p>Information system components for compliance with national emissions and TEMPEST policies and procedures</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pe-20">
          <title>Asset Monitoring and Tracking</title>
@@ -32067,19 +32067,19 @@
                <p>automated mechanisms supporting the information system security plan</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pl-2.1">
+         <control class="SP800-53-enhancement" id="pl-2.1">
             <title>Concept of Operations</title>
             <prop name="label">PL-2(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#pl-7">PL-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pl-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pl-2.2">
             <title>Functional Architecture</title>
             <prop name="label">PL-2(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#pl-8">PL-8</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pl-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="pl-2.3">
             <title>Plan / Coordinate with Other Organizational Entities</title>
             <param id="pl-2.3_prm_1">
                <label>organization-defined individuals or groups</label>
@@ -32125,7 +32125,7 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pl-3">
          <title>System Security Plan Update</title>
@@ -32239,7 +32239,7 @@
                <p>automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pl-4.1">
+         <control class="SP800-53-enhancement" id="pl-4.1">
             <title>Social Media and Networking Restrictions</title>
             <prop name="label">PL-4(1)</prop>
             <part id="pl-4.1_smt" name="statement">
@@ -32283,7 +32283,7 @@
                   <p>automated mechanisms supporting and/or implementing the establishment of rules of behavior</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pl-5">
          <title>Privacy Impact Assessment</title>
@@ -32482,7 +32482,7 @@
                <p>automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="pl-8.1">
+         <control class="SP800-53-enhancement" id="pl-8.1">
             <title>Defense-in-depth</title>
             <param id="pl-8.1_prm_1">
                <label>organization-defined security safeguards</label>
@@ -32558,8 +32558,8 @@
                   <p>automated mechanisms supporting and/or implementing the design of the information security architecture</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="pl-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="pl-8.2">
             <title>Supplier Diversity</title>
             <param id="pl-8.2_prm_1">
                <label>organization-defined security safeguards</label>
@@ -32617,7 +32617,7 @@
                   <p>Organizational processes for obtaining information security safeguards from different suppliers</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="pl-9">
          <title>Central Management</title>
@@ -32974,7 +32974,7 @@
                <p>Organizational processes for personnel screening</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ps-3.1">
+         <control class="SP800-53-enhancement" id="ps-3.1">
             <title>Classified Information</title>
             <prop name="label">PS-3(1)</prop>
             <part id="ps-3.1_smt" name="statement">
@@ -33017,8 +33017,8 @@
                   <p>Organizational processes for clearing and indoctrinating personnel for access to classified information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ps-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ps-3.2">
             <title>Formal Indoctrination</title>
             <prop name="label">PS-3(2)</prop>
             <part id="ps-3.2_smt" name="statement">
@@ -33054,8 +33054,8 @@
                   <p>Organizational processes for formal indoctrination for all relevant types of information to which personnel have access</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ps-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ps-3.3">
             <title>Information with Special Protection Measures</title>
             <param id="ps-3.3_prm_1">
                <label>organization-defined additional personnel screening criteria</label>
@@ -33120,7 +33120,7 @@
                   <p>organizational process for additional personnel screening for information requiring special protection</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ps-4">
          <title>Personnel Termination</title>
@@ -33253,7 +33253,7 @@
                <p>automated mechanisms for disabling information system access/revoking authenticators</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ps-4.1">
+         <control class="SP800-53-enhancement" id="ps-4.1">
             <title>Post-employment Requirements</title>
             <prop name="label">PS-4(1)</prop>
             <part id="ps-4.1_smt" name="statement">
@@ -33306,8 +33306,8 @@
                   <p>Organizational processes for post-employment requirements</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ps-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ps-4.2">
             <title>Automated Notification</title>
             <param id="ps-4.2_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -33356,7 +33356,7 @@
                   <p>automated mechanisms supporting and/or implementing personnel termination notifications</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ps-5">
          <title>Personnel Transfer</title>
@@ -33578,13 +33578,13 @@
                <p>automated mechanisms supporting access agreements</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ps-6.1">
+         <control class="SP800-53-enhancement" id="ps-6.1">
             <title>Information Requiring Special Protection</title>
             <prop name="label">PS-6(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ps-3">PS-3</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ps-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ps-6.2">
             <title>Classified Information Requiring Special Protection</title>
             <prop name="label">PS-6(2)</prop>
             <part id="ps-6.2_smt" name="statement">
@@ -33649,8 +33649,8 @@
                   <p>Organizational processes for access to classified information requiring special protection</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ps-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ps-6.3">
             <title>Post-employment Requirements</title>
             <prop name="label">PS-6(3)</prop>
             <part id="ps-6.3_smt" name="statement">
@@ -33706,7 +33706,7 @@
                   <p>automated mechanisms supporting notifications and individual acknowledgements of post-employment requirements</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ps-7">
          <title>Third-party Personnel Security</title>
@@ -34487,7 +34487,7 @@
                <p>automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.1">
+         <control class="SP800-53-enhancement" id="ra-5.1">
             <title>Update Tool Capability</title>
             <prop name="label">RA-5(1)</prop>
             <part id="ra-5.1_smt" name="statement">
@@ -34527,8 +34527,8 @@
                   <p>automated mechanisms/tools supporting and/or implementing vulnerability scanning</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.2">
             <title>Update by Frequency / Prior to New Scan / When Identified</title>
             <param id="ra-5.2_prm_1">
                <select how-many="one or more">
@@ -34599,8 +34599,8 @@
                   <p>automated mechanisms/tools supporting and/or implementing vulnerability scanning</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.3">
             <title>Breadth / Depth of Coverage</title>
             <prop name="label">RA-5(3)</prop>
             <part id="ra-5.3_smt" name="statement">
@@ -34644,8 +34644,8 @@
                   <p>automated mechanisms/tools supporting and/or implementing vulnerability scanning</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.4">
             <title>Discoverable Information</title>
             <param id="ra-5.4_prm_1">
                <label>organization-defined corrective actions</label>
@@ -34708,8 +34708,8 @@
                   <p>automated mechanisms supporting and/or implementing incident management and response</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.5">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.5">
             <title>Privileged Access</title>
             <param id="ra-5.5_prm_1">
                <label>organization-identified information system components</label>
@@ -34774,8 +34774,8 @@
                   <p>automated mechanisms/tools supporting and/or implementing vulnerability scanning</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.6">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.6">
             <title>Automated Trend Analyses</title>
             <prop name="label">RA-5(6)</prop>
             <part id="ra-5.6_smt" name="statement">
@@ -34816,14 +34816,14 @@
                   <p>automated mechanisms supporting and/or implementing trend analysis of vulnerability scan results</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.7">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.7">
             <title>Automated Detection and Notification of Unauthorized Components</title>
             <prop name="label">RA-5(7)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cm-8">CM-8</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.8">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.8">
             <title>Review Historic Audit Logs</title>
             <prop name="label">RA-5(8)</prop>
             <part id="ra-5.8_smt" name="statement">
@@ -34866,14 +34866,14 @@
                   <p>automated mechanisms supporting and/or implementing audit record review</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.9">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.9">
             <title>Penetration Testing and Analyses</title>
             <prop name="label">RA-5(9)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ca-8">CA-8</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="ra-5.10">
+         </control>
+         <control class="SP800-53-enhancement" id="ra-5.10">
             <title>Correlate Scanning Information</title>
             <prop name="label">RA-5(10)</prop>
             <part id="ra-5.10_smt" name="statement">
@@ -34913,7 +34913,7 @@
                   <p>automated mechanisms implementing correlation of vulnerability scan results</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="ra-6">
          <title>Technical Surveillance Countermeasures Survey</title>
@@ -35435,7 +35435,7 @@
                <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.1">
+         <control class="SP800-53-enhancement" id="sa-4.1">
             <title>Functional Properties of Security Controls</title>
             <prop name="label">SA-4(1)</prop>
             <part id="sa-4.1_smt" name="statement">
@@ -35476,8 +35476,8 @@
                   <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.2">
             <title>Design / Implementation Information for Security Controls</title>
             <param id="sa-4.2_prm_1">
                <select how-many="one or more">
@@ -35570,8 +35570,8 @@
                   <p>automated mechanisms supporting and/or implementing development of system design details</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.3">
             <title>Development Methods / Techniques / Practices</title>
             <param id="sa-4.3_prm_1">
                <label>organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes</label>
@@ -35653,14 +35653,14 @@
                   <p>Organizational processes for development methods, techniques, and processes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.4">
             <title>Assignment of Components to Systems</title>
             <prop name="label">SA-4(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#cm-8.9">CM-8 (9)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.5">
             <title>System / Component / Service Configurations</title>
             <param id="sa-4.5_prm_1">
                <label>organization-defined security configurations</label>
@@ -35729,8 +35729,8 @@
                   <p>Automated mechanisms used to verify that the configuration of the information system, component, or service, as delivered, is as specified</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.6">
             <title>Use of Information Assurance Products</title>
             <prop name="label">SA-4(6)</prop>
             <part id="sa-4.6_smt" name="statement">
@@ -35791,8 +35791,8 @@
                   <p>Organizational processes for selecting and employing evaluated and/or validated information assurance products and services that compose an NSA-approved solution to protect classified information</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.7">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.7">
             <title>Niap-approved Protection Profiles</title>
             <prop name="label">SA-4(7)</prop>
             <part id="sa-4.7_smt" name="statement">
@@ -35851,8 +35851,8 @@
                   <p>Organizational processes for selecting and employing products/services evaluated against a NIAP-approved protection profile or FIPS-validated products</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.8">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.8">
             <title>Continuous Monitoring Plan</title>
             <param id="sa-4.8_prm_1">
                <label>organization-defined level of detail</label>
@@ -35907,8 +35907,8 @@
                   <p>automated mechanisms supporting and/or implementing developer continuous monitoring</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.9">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.9">
             <title>Functions / Ports / Protocols / Services in Use</title>
             <prop name="label">SA-4(9)</prop>
             <part id="sa-4.9_smt" name="statement">
@@ -35964,8 +35964,8 @@
                   <p>organizational personnel with information security responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-4.10">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-4.10">
             <title>Use of Approved PIV Products</title>
             <prop name="label">SA-4(10)</prop>
             <part id="sa-4.10_smt" name="statement">
@@ -36005,7 +36005,7 @@
                   <p>Organizational processes for selecting and employing FIPS 201-approved products</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-5">
          <title>Information System Documentation</title>
@@ -36192,36 +36192,36 @@
                <p>Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-5.1">
+         <control class="SP800-53-enhancement" id="sa-5.1">
             <title>Functional Properties of Security Controls</title>
             <prop name="label">SA-5(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-4.1">SA-4 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-5.2">
             <title>Security-relevant External System Interfaces</title>
             <prop name="label">SA-5(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-5.3">
             <title>High-level Design</title>
             <prop name="label">SA-5(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-5.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-5.4">
             <title>Low-level Design</title>
             <prop name="label">SA-5(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-5.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-5.5">
             <title>Source Code</title>
             <prop name="label">SA-5(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-6">
          <title>Software Usage Restrictions</title>
@@ -36402,7 +36402,7 @@
                <p>automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-9.1">
+         <control class="SP800-53-enhancement" id="sa-9.1">
             <title>Risk Assessments / Organizational Approvals</title>
             <param id="sa-9.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -36474,8 +36474,8 @@
                   <p>automated mechanisms supporting and/or implementing approval processes</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-9.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-9.2">
             <title>Identification of Functions / Ports / Protocols / Services</title>
             <param id="sa-9.2_prm_1">
                <label>organization-defined external information system services</label>
@@ -36537,8 +36537,8 @@
                   <p>external providers of information system services</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-9.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-9.3">
             <title>Establish / Maintain Trust Relationship with Providers</title>
             <param id="sa-9.3_prm_1">
                <label>organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships</label>
@@ -36595,8 +36595,8 @@
                   <p>external providers of information system services</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-9.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-9.4">
             <title>Consistent Interests of Consumers and Providers</title>
             <param id="sa-9.4_prm_1">
                <label>organization-defined security safeguards</label>
@@ -36656,8 +36656,8 @@
                   <p>automated mechanisms supporting and/or implementing safeguards to ensure consistent interests with external service providers</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-9.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-9.5">
             <title>Processing, Storage, and Service Location</title>
             <param id="sa-9.5_prm_1">
                <select how-many="one or more">
@@ -36737,7 +36737,7 @@
                   <p>organizational processes for ensuring the location is restricted in accordance with requirements or conditions</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-10">
          <title>Developer Configuration Management</title>
@@ -36906,7 +36906,7 @@
                <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-10.1">
+         <control class="SP800-53-enhancement" id="sa-10.1">
             <title>Software / Firmware Integrity Verification</title>
             <prop name="label">SA-10(1)</prop>
             <part id="sa-10.1_smt" name="statement">
@@ -36953,8 +36953,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-10.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-10.2">
             <title>Alternative Configuration Management Processes</title>
             <prop name="label">SA-10(2)</prop>
             <part id="sa-10.2_smt" name="statement">
@@ -36997,8 +36997,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-10.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-10.3">
             <title>Hardware Integrity Verification</title>
             <prop name="label">SA-10(3)</prop>
             <part id="sa-10.3_smt" name="statement">
@@ -37041,8 +37041,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-10.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-10.4">
             <title>Trusted Generation</title>
             <prop name="label">SA-10(4)</prop>
             <part id="sa-10.4_smt" name="statement">
@@ -37094,8 +37094,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-10.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-10.5">
             <title>Mapping Integrity for Version Control</title>
             <prop name="label">SA-10(5)</prop>
             <part id="sa-10.5_smt" name="statement">
@@ -37140,8 +37140,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-10.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-10.6">
             <title>Trusted Distribution</title>
             <prop name="label">SA-10(6)</prop>
             <part id="sa-10.6_smt" name="statement">
@@ -37185,7 +37185,7 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer configuration management</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-11">
          <title>Developer Security Testing and Evaluation</title>
@@ -37329,7 +37329,7 @@
                <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.1">
+         <control class="SP800-53-enhancement" id="sa-11.1">
             <title>Static Code Analysis</title>
             <prop name="label">SA-11(1)</prop>
             <part id="sa-11.1_smt" name="statement">
@@ -37375,8 +37375,8 @@
                   <p>static code analysis tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.2">
             <title>Threat and Vulnerability Analyses</title>
             <prop name="label">SA-11(2)</prop>
             <part id="sa-11.2_smt" name="statement">
@@ -37435,8 +37435,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.3">
             <title>Independent Verification of Assessment Plans / Evidence</title>
             <param id="sa-11.3_prm_1">
                <label>organization-defined independence criteria</label>
@@ -37528,8 +37528,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.4">
             <title>Manual Code Reviews</title>
             <param id="sa-11.4_prm_1">
                <label>organization-defined specific code</label>
@@ -37593,8 +37593,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.5">
             <title>Penetration Testing</title>
             <param id="sa-11.5_prm_1">
                <label>organization-defined breadth/depth</label>
@@ -37663,8 +37663,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.6">
             <title>Attack Surface Reviews</title>
             <prop name="label">SA-11(6)</prop>
             <part id="sa-11.6_smt" name="statement">
@@ -37708,8 +37708,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.7">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.7">
             <title>Verify Scope of Testing / Evaluation</title>
             <param id="sa-11.7_prm_1">
                <label>organization-defined depth of testing/evaluation</label>
@@ -37763,8 +37763,8 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-11.8">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-11.8">
             <title>Dynamic Code Analysis</title>
             <prop name="label">SA-11(8)</prop>
             <part id="sa-11.8_smt" name="statement">
@@ -37809,7 +37809,7 @@
                   <p>automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-12">
          <title>Supply Chain Protection</title>
@@ -37884,7 +37884,7 @@
                <p>automated mechanisms supporting and/or implementing safeguards for supply chain threats</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.1">
+         <control class="SP800-53-enhancement" id="sa-12.1">
             <title>Acquisition Strategies / Tools / Methods</title>
             <param id="sa-12.1_prm_1">
                <label>organization-defined tailored acquisition strategies, contract tools, and procurement methods</label>
@@ -37952,8 +37952,8 @@
                   <p>automated mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.2">
             <title>Supplier Reviews</title>
             <prop name="label">SA-12(2)</prop>
             <part id="sa-12.2_smt" name="statement">
@@ -37990,20 +37990,20 @@
                   <p>automated mechanisms supporting and/or implementing supplier reviews</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.3">
             <title>Trusted Shipping and Warehousing</title>
             <prop name="label">SA-12(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-12.1">SA-12 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.4">
             <title>Diversity of Suppliers</title>
             <prop name="label">SA-12(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-12.13">SA-12 (13)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.5">
             <title>Limitation of Harm</title>
             <param id="sa-12.5_prm_1">
                <label>organization-defined security safeguards</label>
@@ -38059,14 +38059,14 @@
                   <p>automated mechanisms supporting and/or implementing the definition and employment of safeguards to protect the organizational supply chain</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.6">
             <title>Minimizing Procurement Time</title>
             <prop name="label">SA-12(6)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-12.1">SA-12 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.7">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.7">
             <title>Assessments Prior to Selection / Acceptance / Update</title>
             <prop name="label">SA-12(7)</prop>
             <part id="sa-12.7_smt" name="statement">
@@ -38120,8 +38120,8 @@
                   <p>automated mechanisms supporting and/or implementing the conducting of assessments prior to selection, acceptance, or update</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.8">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.8">
             <title>Use of All-source Intelligence</title>
             <prop name="label">SA-12(8)</prop>
             <part id="sa-12.8_smt" name="statement">
@@ -38169,8 +38169,8 @@
                   <p>automated mechanisms supporting and/or implementing the use of all-source analysis of suppliers and potential suppliers</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.9">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.9">
             <title>Operations Security</title>
             <param id="sa-12.9_prm_1">
                <label>organization-defined Operations Security (OPSEC) safeguards</label>
@@ -38220,8 +38220,8 @@
                   <p>automated mechanisms supporting and/or implementing the definition and employment of OPSEC safeguards</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.10">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.10">
             <title>Validate as Genuine and Not Altered</title>
             <param id="sa-12.10_prm_1">
                <label>organization-defined security safeguards</label>
@@ -38273,8 +38273,8 @@
                   <p>automated mechanisms supporting and/or implementing the definition and employment of validation safeguards</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.11">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.11">
             <title>Penetration Testing / Analysis of Elements, Processes, and Actors</title>
             <param id="sa-12.11_prm_1">
                <select how-many="one or more">
@@ -38357,8 +38357,8 @@
                   <p>automated mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.12">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.12">
             <title>Inter-organizational Agreements</title>
             <prop name="label">SA-12(12)</prop>
             <part id="sa-12.12_smt" name="statement">
@@ -38404,8 +38404,8 @@
                   <p>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.13">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.13">
             <title>Critical Information System Components</title>
             <param id="sa-12.13_prm_1">
                <label>organization-defined security safeguards</label>
@@ -38461,8 +38461,8 @@
                   <p>automated mechanisms supporting and/or implementing the security safeguards that ensure an adequate supply of critical information system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.14">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.14">
             <title>Identity and Traceability</title>
             <param id="sa-12.14_prm_1">
                <label>organization-defined supply chain elements, processes, and actors</label>
@@ -38523,8 +38523,8 @@
                   <p>automated mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-12.15">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-12.15">
             <title>Processes to Address Weaknesses or Deficiencies</title>
             <prop name="label">SA-12(15)</prop>
             <part id="sa-12.15_smt" name="statement">
@@ -38562,7 +38562,7 @@
                   <p>automated mechanisms supporting and/or implementing the addressing of weaknesses or deficiencies in supply chain elements</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-13">
          <title>Trustworthiness</title>
@@ -38706,12 +38706,12 @@
                <p>organizational personnel with responsibilities for performing criticality analysis for the information system</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-14.1">
+         <control class="SP800-53-enhancement" id="sa-14.1">
             <title>Critical Components with No Viable Alternative Sourcing</title>
             <prop name="label">SA-14(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-20">SA-20</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-15">
          <title>Development Process, Standards, and Tools</title>
@@ -38850,7 +38850,7 @@
                <p>system developer</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.1">
+         <control class="SP800-53-enhancement" id="sa-15.1">
             <title>Quality Metrics</title>
             <param id="sa-15.1_prm_1">
                <select how-many="one or more">
@@ -38939,8 +38939,8 @@
                   <p>system developer</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.2">
             <title>Security Tracking Tools</title>
             <prop name="label">SA-15(2)</prop>
             <part id="sa-15.2_smt" name="statement">
@@ -38975,8 +38975,8 @@
                   <p>system developer</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.3">
             <title>Criticality Analysis</title>
             <param id="sa-15.3_prm_1">
                <label>organization-defined breadth/depth</label>
@@ -39044,8 +39044,8 @@
                   <p>automated mechanisms supporting and/or implementing criticality analysis</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.4">
             <title>Threat Modeling / Vulnerability Analysis</title>
             <param id="sa-15.4_prm_1">
                <label>organization-defined breadth/depth</label>
@@ -39151,8 +39151,8 @@
                   <p>automated mechanisms supporting and/or implementing development threat modeling and vulnerability analysis</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.5">
             <title>Attack Surface Reduction</title>
             <param id="sa-15.5_prm_1">
                <label>organization-defined thresholds</label>
@@ -39208,8 +39208,8 @@
                   <p>Organizational processes for defining attack surface reduction thresholds</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.6">
             <title>Continuous Improvement</title>
             <prop name="label">SA-15(6)</prop>
             <part id="sa-15.6_smt" name="statement">
@@ -39244,8 +39244,8 @@
                   <p>system developer</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.7">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.7">
             <title>Automated Vulnerability Analysis</title>
             <param id="sa-15.7_prm_1">
                <label>organization-defined tools</label>
@@ -39346,8 +39346,8 @@
                   <p>automated mechanisms supporting and/or implementing vulnerability analysis of information systems, system components, or information system services under development</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.8">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.8">
             <title>Reuse of Threat / Vulnerability Information</title>
             <prop name="label">SA-15(8)</prop>
             <part id="sa-15.8_smt" name="statement">
@@ -39380,8 +39380,8 @@
                   <p>system developer</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.9">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.9">
             <title>Use of Live Data</title>
             <prop name="label">SA-15(9)</prop>
             <part id="sa-15.9_smt" name="statement">
@@ -39435,8 +39435,8 @@
                   <p>automated mechanisms supporting and/or implementing the approval, documentation, and control of the use of live data in development and test environments</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.10">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.10">
             <title>Incident Response Plan</title>
             <prop name="label">SA-15(10)</prop>
             <part id="sa-15.10_smt" name="statement">
@@ -39473,8 +39473,8 @@
                   <p>system developer</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-15.11">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-15.11">
             <title>Archive Information System / Component</title>
             <prop name="label">SA-15(11)</prop>
             <part id="sa-15.11_smt" name="statement">
@@ -39510,7 +39510,7 @@
                   <p>system developer</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-16">
          <title>Developer-provided Training</title>
@@ -39635,7 +39635,7 @@
                <p>organizational personnel with security architecture and design responsibilities</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.1">
+         <control class="SP800-53-enhancement" id="sa-17.1">
             <title>Formal Policy Model</title>
             <param id="sa-17.1_prm_1">
                <label>organization-defined elements of organizational security policy</label>
@@ -39700,8 +39700,8 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-17.2">
             <title>Security-relevant Components</title>
             <prop name="label">SA-17(2)</prop>
             <part id="sa-17.2_smt" name="statement">
@@ -39767,8 +39767,8 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-17.3">
             <title>Formal Correspondence</title>
             <prop name="label">SA-17(3)</prop>
             <part id="sa-17.3_smt" name="statement">
@@ -39866,8 +39866,8 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-17.4">
             <title>Informal Correspondence</title>
             <param id="sa-17.4_prm_1">
                <select>
@@ -39970,8 +39970,8 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-17.5">
             <title>Conceptually Simple Design</title>
             <prop name="label">SA-17(5)</prop>
             <part id="sa-17.5_smt" name="statement">
@@ -40027,8 +40027,8 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-17.6">
             <title>Structure for Testing</title>
             <prop name="label">SA-17(6)</prop>
             <part id="sa-17.6_smt" name="statement">
@@ -40066,8 +40066,8 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-17.7">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-17.7">
             <title>Structure for Least Privilege</title>
             <prop name="label">SA-17(7)</prop>
             <part id="sa-17.7_smt" name="statement">
@@ -40106,7 +40106,7 @@
                   <p>organizational personnel with security architecture and design responsibilities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-18">
          <title>Tamper Resistance and Detection</title>
@@ -40149,7 +40149,7 @@
                <p>automated mechanisms supporting and/or implementing the tamper protection program</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-18.1">
+         <control class="SP800-53-enhancement" id="sa-18.1">
             <title>Multiple Phases of SDLC</title>
             <prop name="label">SA-18(1)</prop>
             <part id="sa-18.1_smt" name="statement">
@@ -40210,8 +40210,8 @@
                   <p>automated mechanisms supporting and/or implementing anti-tamper technologies</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-18.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-18.2">
             <title>Inspection of Information Systems, Components, or Devices</title>
             <param id="sa-18.2_prm_1">
                <label>organization-defined information systems, system components, or devices</label>
@@ -40293,7 +40293,7 @@
                   <p>automated mechanisms supporting and/or implementing tampering detection</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-19">
          <title>Component Authenticity</title>
@@ -40391,7 +40391,7 @@
                <p>automated mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-19.1">
+         <control class="SP800-53-enhancement" id="sa-19.1">
             <title>Anti-counterfeit Training</title>
             <param id="sa-19.1_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -40438,8 +40438,8 @@
                   <p>Organizational processes for anti-counterfeit training</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-19.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-19.2">
             <title>Configuration Control for Component Service / Repair</title>
             <param id="sa-19.2_prm_1">
                <label>organization-defined information system components</label>
@@ -40496,8 +40496,8 @@
                   <p>automated mechanisms supporting and/or implementing configuration management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-19.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-19.3">
             <title>Component Disposal</title>
             <param id="sa-19.3_prm_1">
                <label>organization-defined techniques and methods</label>
@@ -40548,8 +40548,8 @@
                   <p>automated mechanisms supporting and/or implementing system component disposal</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sa-19.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sa-19.4">
             <title>Anti-counterfeit Scanning</title>
             <param id="sa-19.4_prm_1">
                <label>organization-defined frequency</label>
@@ -40597,7 +40597,7 @@
                   <p>automated mechanisms supporting and/or implementing anti-counterfeit scanning</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-20">
          <title>Customized Development of Critical Components</title>
@@ -40736,7 +40736,7 @@
                <p>automated mechanisms supporting developer screening</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-21.1">
+         <control class="SP800-53-enhancement" id="sa-21.1">
             <title>Validation of Screening</title>
             <param id="sa-21.1_prm_1">
                <label>organization-defined actions</label>
@@ -40789,7 +40789,7 @@
                   <p>automated mechanisms supporting developer screening</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sa-22">
          <title>Unsupported System Components</title>
@@ -40854,7 +40854,7 @@
                <p>automated mechanisms supporting and/or implementing replacement of unsupported system components</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sa-22.1">
+         <control class="SP800-53-enhancement" id="sa-22.1">
             <title>Alternative Sources for Continued Support</title>
             <param id="sa-22.1_prm_1">
                <select how-many="one or more">
@@ -40919,7 +40919,7 @@
                   <p>automated mechanisms providing support for system components no longer supported by original developers, vendors, or manufacturers</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
    </group>
    <group class="family" id="sc">
@@ -41113,7 +41113,7 @@
                <p>Separation of user functionality from information system management functionality</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-2.1">
+         <control class="SP800-53-enhancement" id="sc-2.1">
             <title>Interfaces for Non-privileged Users</title>
             <prop name="label">SC-2(1)</prop>
             <part id="sc-2.1_smt" name="statement">
@@ -41152,7 +41152,7 @@
                   <p>Separation of user functionality from information system management functionality</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-3">
          <title>Security Function Isolation</title>
@@ -41201,7 +41201,7 @@
                <p>Separation of security functions from nonsecurity functions within the information system</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-3.1">
+         <control class="SP800-53-enhancement" id="sc-3.1">
             <title>Hardware Separation</title>
             <prop name="label">SC-3(1)</prop>
             <part id="sc-3.1_smt" name="statement">
@@ -41239,8 +41239,8 @@
                   <p>Separation of security functions from nonsecurity functions within the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-3.2">
             <title>Access / Flow Control Functions</title>
             <prop name="label">SC-3(2)</prop>
             <part id="sc-3.2_smt" name="statement">
@@ -41294,8 +41294,8 @@
                   <p>Isolation of security functions enforcing access and information flow control</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-3.3">
             <title>Minimize Nonsecurity Functionality</title>
             <prop name="label">SC-3(3)</prop>
             <part id="sc-3.3_smt" name="statement">
@@ -41331,8 +41331,8 @@
                   <p>Automated mechanisms supporting and/or implementing an isolation boundary</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-3.4">
             <title>Module Coupling and Cohesiveness</title>
             <prop name="label">SC-3(4)</prop>
             <part id="sc-3.4_smt" name="statement">
@@ -41377,8 +41377,8 @@
                   <p>automated mechanisms supporting and/or implementing security functions as independent modules</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-3.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-3.5">
             <title>Layered Structures</title>
             <prop name="label">SC-3(5)</prop>
             <part id="sc-3.5_smt" name="statement">
@@ -41423,7 +41423,7 @@
                   <p>automated mechanisms supporting and/or implementing security functions as a layered structure</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-4">
          <title>Information in Shared Resources</title>
@@ -41465,13 +41465,13 @@
                <p>Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-4.1">
+         <control class="SP800-53-enhancement" id="sc-4.1">
             <title>Security Levels</title>
             <prop name="label">SC-4(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-4">SC-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-4.2">
             <title>Periods Processing</title>
             <param id="sc-4.2_prm_1">
                <label>organization-defined procedures</label>
@@ -41519,7 +41519,7 @@
                   <p>Automated mechanisms preventing unauthorized transfer of information via shared system resources</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-5">
          <title>Denial of Service Protection</title>
@@ -41582,7 +41582,7 @@
                <p>Automated mechanisms protecting against or limiting the effects of denial of service attacks</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-5.1">
+         <control class="SP800-53-enhancement" id="sc-5.1">
             <title>Restrict Internal Users</title>
             <param id="sc-5.1_prm_1">
                <label>organization-defined denial of service attacks</label>
@@ -41633,8 +41633,8 @@
                   <p>Automated mechanisms restricting the ability to launch denial of service attacks against other information systems</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-5.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-5.2">
             <title>Excess Capacity / Bandwidth / Redundancy</title>
             <prop name="label">SC-5(2)</prop>
             <part id="sc-5.2_smt" name="statement">
@@ -41684,8 +41684,8 @@
                   <p>Automated mechanisms implementing management of information system bandwidth, capacity, and redundancy to limit the effects of information flooding denial of service attacks</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-5.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-5.3">
             <title>Detection / Monitoring</title>
             <param id="sc-5.3_prm_1">
                <label>organization-defined monitoring tools</label>
@@ -41763,7 +41763,7 @@
                   <p>Automated mechanisms/tools implementing information system monitoring for denial of service attacks</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-6">
          <title>Resource Availability</title>
@@ -41947,19 +41947,19 @@
                <p>Automated mechanisms implementing boundary protection capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.1">
+         <control class="SP800-53-enhancement" id="sc-7.1">
             <title>Physically Separated Subnetworks</title>
             <prop name="label">SC-7(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.2">
             <title>Public Access</title>
             <prop name="label">SC-7(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.3">
             <title>Access Points</title>
             <prop name="label">SC-7(3)</prop>
             <part id="sc-7.3_smt" name="statement">
@@ -42000,8 +42000,8 @@
                   <p>automated mechanisms limiting the number of external network connections to the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.4">
             <title>External Telecommunications Services</title>
             <param id="sc-7.4_prm_1">
                <label>organization-defined frequency</label>
@@ -42114,8 +42114,8 @@
                   <p>managed interfaces implementing traffic flow policy</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.5">
             <title>Deny by Default / Allow by Exception</title>
             <prop name="label">SC-7(5)</prop>
             <part id="sc-7.5_smt" name="statement">
@@ -42161,14 +42161,14 @@
                   <p>Automated mechanisms implementing traffic management at managed interfaces</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.6">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.6">
             <title>Response to Recognized Failures</title>
             <prop name="label">SC-7(6)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-7.18">SC-7 (18)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.7">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.7">
             <title>Prevent Split Tunneling for Remote Devices</title>
             <prop name="label">SC-7(7)</prop>
             <part id="sc-7.7_smt" name="statement">
@@ -42209,8 +42209,8 @@
                   <p>automated mechanisms supporting/restricting non-remote connections</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.8">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.8">
             <title>Route Traffic to Authenticated Proxy Servers</title>
             <param id="sc-7.8_prm_1">
                <label>organization-defined internal communications traffic</label>
@@ -42270,8 +42270,8 @@
                   <p>Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.9">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.9">
             <title>Restrict Threatening Outgoing Communications Traffic</title>
             <prop name="label">SC-7(9)</prop>
             <part id="sc-7.9_smt" name="statement">
@@ -42344,8 +42344,8 @@
                   <p>automated mechanisms implementing auditing of outgoing communications traffic</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.10">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.10">
             <title>Prevent Unauthorized Exfiltration</title>
             <prop name="label">SC-7(10)</prop>
             <part id="sc-7.10_smt" name="statement">
@@ -42384,8 +42384,8 @@
                   <p>preventing unauthorized exfiltration of information across managed interfaces</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.11">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.11">
             <title>Restrict Incoming Communications Traffic</title>
             <param id="sc-7.11_prm_1">
                <label>organization-defined authorized sources</label>
@@ -42442,8 +42442,8 @@
                   <p>Automated mechanisms implementing boundary protection capabilities with respect to source/destination address pairs</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.12">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.12">
             <title>Host-based Protection</title>
             <param id="sc-7.12_prm_1">
                <label>organization-defined host-based boundary protection mechanisms</label>
@@ -42500,8 +42500,8 @@
                   <p>Automated mechanisms implementing host-based boundary protection capabilities</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.13">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.13">
             <title>Isolation of Security Tools / Mechanisms / Support Components</title>
             <param id="sc-7.13_prm_1">
                <label>organization-defined information security tools, mechanisms, and support components</label>
@@ -42555,8 +42555,8 @@
                   <p>Automated mechanisms supporting and/or implementing isolation of information security tools, mechanisms, and support components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.14">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.14">
             <title>Protects Against Unauthorized Physical Connections</title>
             <param id="sc-7.14_prm_1">
                <label>organization-defined managed interfaces</label>
@@ -42608,8 +42608,8 @@
                   <p>Automated mechanisms supporting and/or implementing protection against unauthorized physical connections</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.15">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.15">
             <title>Route Privileged Network Accesses</title>
             <prop name="label">SC-7(15)</prop>
             <part id="sc-7.15_smt" name="statement">
@@ -42660,8 +42660,8 @@
                   <p>Automated mechanisms supporting and/or implementing the routing of networked, privileged access through dedicated managed interfaces</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.16">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.16">
             <title>Prevent Discovery of Components / Devices</title>
             <prop name="label">SC-7(16)</prop>
             <part id="sc-7.16_smt" name="statement">
@@ -42701,8 +42701,8 @@
                   <p>Automated mechanisms supporting and/or implementing the prevention of discovery of system components at managed interfaces</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.17">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.17">
             <title>Automated Enforcement of Protocol Formats</title>
             <prop name="label">SC-7(17)</prop>
             <part id="sc-7.17_smt" name="statement">
@@ -42742,8 +42742,8 @@
                   <p>Automated mechanisms supporting and/or implementing enforcement of adherence to protocol formats</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.18">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.18">
             <title>Fail Secure</title>
             <prop name="label">SC-7(18)</prop>
             <part id="sc-7.18_smt" name="statement">
@@ -42784,8 +42784,8 @@
                   <p>Automated mechanisms supporting and/or implementing secure failure</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.19">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.19">
             <title>Blocks Communication from Non-organizationally Configured Hosts</title>
             <param id="sc-7.19_prm_1">
                <label>organization-defined communication clients</label>
@@ -42844,8 +42844,8 @@
                   <p>Automated mechanisms supporting and/or implementing the blocking of inbound and outbound communications traffic between communication clients independently configured by end users and external service providers</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.20">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.20">
             <title>Dynamic Isolation / Segregation</title>
             <param id="sc-7.20_prm_1">
                <label>organization-defined information system components</label>
@@ -42897,8 +42897,8 @@
                   <p>Automated mechanisms supporting and/or implementing the capability to dynamically isolate/segregate information system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.21">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.21">
             <title>Isolation of Information System Components</title>
             <param id="sc-7.21_prm_1">
                <label>organization-defined information system components</label>
@@ -42958,8 +42958,8 @@
                   <p>Automated mechanisms supporting and/or implementing the capability to separate information system components supporting organizational missions and/or business functions</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.22">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.22">
             <title>Separate Subnets for Connecting to Different Security Domains</title>
             <prop name="label">SC-7(22)</prop>
             <part id="sc-7.22_smt" name="statement">
@@ -42999,8 +42999,8 @@
                   <p>Automated mechanisms supporting and/or implementing separate network addresses/different subnets</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-7.23">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-7.23">
             <title>Disable Sender Feedback On Protocol Validation Failure</title>
             <prop name="label">SC-7(23)</prop>
             <part id="sc-7.23_smt" name="statement">
@@ -43040,7 +43040,7 @@
                   <p>Automated mechanisms supporting and/or implementing the disabling of feedback to senders on protocol format validation failure</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-8">
          <title>Transmission Confidentiality and Integrity</title>
@@ -43103,7 +43103,7 @@
                <p>Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-8.1">
+         <control class="SP800-53-enhancement" id="sc-8.1">
             <title>Cryptographic or Alternate Physical Protection</title>
             <param id="sc-8.1_prm_1">
                <select how-many="one or more">
@@ -43168,8 +43168,8 @@
                   <p>organizational processes for defining and implementing alternative physical safeguards</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-8.2">
             <title>Pre / Post Transmission Handling</title>
             <param id="sc-8.2_prm_1">
                <select how-many="one or more">
@@ -43229,8 +43229,8 @@
                   <p>Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-8.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-8.3">
             <title>Cryptographic Protection for Message Externals</title>
             <param id="sc-8.3_prm_1">
                <label>organization-defined alternative physical safeguards</label>
@@ -43282,8 +43282,8 @@
                   <p>organizational processes for defining and implementing alternative physical safeguards</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-8.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-8.4">
             <title>Conceal / Randomize Communications</title>
             <param id="sc-8.4_prm_1">
                <label>organization-defined alternative physical safeguards</label>
@@ -43343,7 +43343,7 @@
                   <p>organizational processes for defining and implementing alternative physical safeguards</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-9">
          <title>Transmission Confidentiality</title>
@@ -43457,7 +43457,7 @@
                <p>Automated mechanisms supporting and/or implementing trusted communications paths</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-11.1">
+         <control class="SP800-53-enhancement" id="sc-11.1">
             <title>Logical Isolation</title>
             <prop name="label">SC-11(1)</prop>
             <part id="sc-11.1_smt" name="statement">
@@ -43501,7 +43501,7 @@
                   <p>Automated mechanisms supporting and/or implementing trusted communications paths</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-12">
          <title>Cryptographic Key Establishment and Management</title>
@@ -43576,7 +43576,7 @@
                <p>Automated mechanisms supporting and/or implementing cryptographic key establishment and management</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-12.1">
+         <control class="SP800-53-enhancement" id="sc-12.1">
             <title>Availability</title>
             <prop name="label">SC-12(1)</prop>
             <part id="sc-12.1_smt" name="statement">
@@ -43613,8 +43613,8 @@
                   <p>Automated mechanisms supporting and/or implementing cryptographic key establishment and management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-12.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-12.2">
             <title>Symmetric Keys</title>
             <param id="sc-12.2_prm_1">
                <select>
@@ -43665,8 +43665,8 @@
                   <p>Automated mechanisms supporting and/or implementing symmetric cryptographic key establishment and management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-12.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-12.3">
             <title>Asymmetric Keys</title>
             <param id="sc-12.3_prm_1">
                <select>
@@ -43723,19 +43723,19 @@
                   <p>Automated mechanisms supporting and/or implementing asymmetric cryptographic key establishment and management</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-12.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-12.4">
             <title>PKI Certificates</title>
             <prop name="label">SC-12(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-12">SC-12</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-12.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-12.5">
             <title>PKI Certificates / Hardware Tokens</title>
             <prop name="label">SC-12(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-12">SC-12</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-13">
          <title>Cryptographic Protection</title>
@@ -43815,30 +43815,30 @@
                <p>Automated mechanisms supporting and/or implementing cryptographic protection</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-13.1">
+         <control class="SP800-53-enhancement" id="sc-13.1">
             <title>Fips-validated Cryptography</title>
             <prop name="label">SC-13(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-13.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-13.2">
             <title>Nsa-approved Cryptography</title>
             <prop name="label">SC-13(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-13.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-13.3">
             <title>Individuals Without Formal Access Approvals</title>
             <prop name="label">SC-13(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-13.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-13.4">
             <title>Digital Signatures</title>
             <prop name="label">SC-13(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-14">
          <title>Public Access Protections</title>
@@ -43921,7 +43921,7 @@
                <p>automated mechanisms providing an indication of use of collaborative computing devices</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-15.1">
+         <control class="SP800-53-enhancement" id="sc-15.1">
             <title>Physical Disconnect</title>
             <prop name="label">SC-15(1)</prop>
             <part id="sc-15.1_smt" name="statement">
@@ -43960,14 +43960,14 @@
                   <p>Automated mechanisms supporting and/or implementing physical disconnect of collaborative computing devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-15.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-15.2">
             <title>Blocking Inbound / Outbound Communications Traffic</title>
             <prop name="label">SC-15(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-15.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-15.3">
             <title>Disabling / Removal in Secure Work Areas</title>
             <param id="sc-15.3_prm_1">
                <label>organization-defined information systems or information system components</label>
@@ -44025,8 +44025,8 @@
                   <p>Automated mechanisms supporting and/or implementing the capability to disable collaborative computing devices</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-15.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-15.4">
             <title>Explicitly Indicate Current Participants</title>
             <param id="sc-15.4_prm_1">
                <label>organization-defined online meetings and teleconferences</label>
@@ -44076,7 +44076,7 @@
                   <p>Automated mechanisms supporting and/or implementing the capability to indicate participants on collaborative computing devices</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-16">
          <title>Transmission of Security Attributes</title>
@@ -44145,7 +44145,7 @@
                <p>Automated mechanisms supporting and/or implementing transmission of security attributes between information systems</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-16.1">
+         <control class="SP800-53-enhancement" id="sc-16.1">
             <title>Integrity Validation</title>
             <prop name="label">SC-16(1)</prop>
             <part id="sc-16.1_smt" name="statement">
@@ -44184,7 +44184,7 @@
                   <p>Automated mechanisms supporting and/or implementing validation of the integrity of transmitted security attributes</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-17">
          <title>Public Key Infrastructure Certificates</title>
@@ -44338,7 +44338,7 @@
                <p>automated mechanisms supporting and/or implementing the monitoring of mobile code</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-18.1">
+         <control class="SP800-53-enhancement" id="sc-18.1">
             <title>Identify Unacceptable Code / Take Corrective Actions</title>
             <param id="sc-18.1_prm_1">
                <label>organization-defined unacceptable mobile code</label>
@@ -44406,8 +44406,8 @@
                   <p>Automated mechanisms supporting and/or implementing mobile code detection, inspection, and corrective capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-18.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-18.2">
             <title>Acquisition / Development / Use</title>
             <param id="sc-18.2_prm_1">
                <label>organization-defined mobile code requirements</label>
@@ -44467,8 +44467,8 @@
                   <p>Organizational processes for the acquisition, development, and use of mobile code</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-18.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-18.3">
             <title>Prevent Downloading / Execution</title>
             <param id="sc-18.3_prm_1">
                <label>organization-defined unacceptable mobile code</label>
@@ -44523,8 +44523,8 @@
                   <p>Automated mechanisms preventing download and execution of unacceptable mobile code</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-18.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-18.4">
             <title>Prevent Automatic Execution</title>
             <param id="sc-18.4_prm_1">
                <label>organization-defined software applications</label>
@@ -44588,8 +44588,8 @@
                   <p>automated mechanisms enforcing actions to be taken prior to the execution of the mobile code</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-18.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-18.5">
             <title>Allow Execution Only in Confined Environments</title>
             <prop name="label">SC-18(5)</prop>
             <part id="sc-18.5_smt" name="statement">
@@ -44627,7 +44627,7 @@
                   <p>Automated mechanisms allowing execution of permitted mobile code in confined virtual machine environments</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-19">
          <title>Voice Over Internet Protocol</title>
@@ -44776,13 +44776,13 @@
                <p>Automated mechanisms supporting and/or implementing secure name/address resolution service</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-20.1">
+         <control class="SP800-53-enhancement" id="sc-20.1">
             <title>Child Subspaces</title>
             <prop name="label">SC-20(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-20">SC-20</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-20.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-20.2">
             <title>Data Origin / Integrity</title>
             <prop name="label">SC-20(2)</prop>
             <part id="sc-20.2_smt" name="statement">
@@ -44816,7 +44816,7 @@
                   <p>Automated mechanisms supporting and/or implementing data origin and integrity protection for internal name/address resolution service queries</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-21">
          <title>Secure Name / Address Resolution Service (recursive or Caching Resolver)</title>
@@ -44874,12 +44874,12 @@
                <p>Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-21.1">
+         <control class="SP800-53-enhancement" id="sc-21.1">
             <title>Data Origin / Integrity</title>
             <prop name="label">SC-21(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-21">SC-21</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-22">
          <title>Architecture and Provisioning for Name / Address Resolution Service</title>
@@ -44976,7 +44976,7 @@
                <p>Automated mechanisms supporting and/or implementing session authenticity</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-23.1">
+         <control class="SP800-53-enhancement" id="sc-23.1">
             <title>Invalidate Session Identifiers at Logout</title>
             <prop name="label">SC-23(1)</prop>
             <part id="sc-23.1_smt" name="statement">
@@ -45012,14 +45012,14 @@
                   <p>Automated mechanisms supporting and/or implementing session identifier invalidation upon session termination</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-23.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-23.2">
             <title>User-initiated Logouts / Message Displays</title>
             <prop name="label">SC-23(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-12.1">AC-12 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-23.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-23.3">
             <title>Unique Session Identifiers with Randomization</title>
             <param id="sc-23.3_prm_1">
                <label>organization-defined randomness requirements</label>
@@ -45072,14 +45072,14 @@
                   <p>automated mechanisms supporting and/or implementing randomness requirements</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-23.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-23.4">
             <title>Unique Session Identifiers with Randomization</title>
             <prop name="label">SC-23(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-23.3">SC-23 (3)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-23.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-23.5">
             <title>Allowed Certificate Authorities</title>
             <param id="sc-23.5_prm_1">
                <label>organization-defined certificate authorities</label>
@@ -45128,7 +45128,7 @@
                   <p>Automated mechanisms supporting and/or implementing management of certificate authorities</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-24">
          <title>Fail in Known State</title>
@@ -45295,12 +45295,12 @@
                <p>Automated mechanisms supporting and/or implementing honey pots</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-26.1">
+         <control class="SP800-53-enhancement" id="sc-26.1">
             <title>Detection of Malicious Code</title>
             <prop name="label">SC-26(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-35">SC-35</link>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-27">
          <title>Platform-independent Applications</title>
@@ -45438,7 +45438,7 @@
                <p>Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-28.1">
+         <control class="SP800-53-enhancement" id="sc-28.1">
             <title>Cryptographic Protection</title>
             <param id="sc-28.1_prm_1">
                <label>organization-defined information</label>
@@ -45496,8 +45496,8 @@
                   <p>Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-28.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-28.2">
             <title>Off-line Storage</title>
             <param id="sc-28.2_prm_1">
                <label>organization-defined information</label>
@@ -45551,7 +45551,7 @@
                   <p>automated mechanisms supporting and/or implementing storage of information off-line</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-29">
          <title>Heterogeneity</title>
@@ -45605,7 +45605,7 @@
                <p>Automated mechanisms supporting and/or implementing employment of a diverse set of information technologies</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-29.1">
+         <control class="SP800-53-enhancement" id="sc-29.1">
             <title>Virtualization Techniques</title>
             <param id="sc-29.1_prm_1">
                <label>organization-defined frequency</label>
@@ -45658,7 +45658,7 @@
                   <p>automated mechanisms supporting and/or implementing virtualization techniques</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-30">
          <title>Concealment and Misdirection</title>
@@ -45727,13 +45727,13 @@
                <p>Automated mechanisms supporting and/or implementing concealment and misdirection techniques</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-30.1">
+         <control class="SP800-53-enhancement" id="sc-30.1">
             <title>Virtualization Techniques</title>
             <prop name="label">SC-30(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sc-29.1">SC-29 (1)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-30.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-30.2">
             <title>Randomness</title>
             <param id="sc-30.2_prm_1">
                <label>organization-defined techniques</label>
@@ -45783,8 +45783,8 @@
                   <p>Automated mechanisms supporting and/or implementing randomness as a concealment and misdirection technique</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-30.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-30.3">
             <title>Change Processing / Storage Locations</title>
             <param id="sc-30.3_prm_1">
                <label>organization-defined processing and/or storage</label>
@@ -45855,8 +45855,8 @@
                   <p>Automated mechanisms supporting and/or implementing changing processing and/or storage locations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-30.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-30.4">
             <title>Misleading Information</title>
             <param id="sc-30.4_prm_1">
                <label>organization-defined information system components</label>
@@ -45905,8 +45905,8 @@
                   <p>Automated mechanisms supporting and/or implementing employment of realistic, but misleading information about the security posture of information system components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-30.5">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-30.5">
             <title>Concealment of System Components</title>
             <param id="sc-30.5_prm_1">
                <label>organization-defined techniques</label>
@@ -45963,7 +45963,7 @@
                   <p>Automated mechanisms supporting and/or implementing techniques for concealment of system components</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-31">
          <title>Covert Channel Analysis</title>
@@ -46039,7 +46039,7 @@
                <p>automated mechanisms supporting and/or implementing the capability to estimate the bandwidth of covert channels</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-31.1">
+         <control class="SP800-53-enhancement" id="sc-31.1">
             <title>Test Covert Channels for Exploitability</title>
             <prop name="label">SC-31(1)</prop>
             <part id="sc-31.1_smt" name="statement">
@@ -46076,8 +46076,8 @@
                   <p>automated mechanisms supporting and/or implementing testing of covert channels analysis</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-31.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-31.2">
             <title>Maximum Bandwidth</title>
             <param id="sc-31.2_prm_1">
                <select how-many="one or more">
@@ -46145,8 +46145,8 @@
                   <p>automated mechanisms supporting and/or implementing the capability to reduce the bandwidth of covert channels</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-31.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-31.3">
             <title>Measure Bandwidth in Operational Environments</title>
             <param id="sc-31.3_prm_1">
                <label>organization-defined subset of identified covert channels</label>
@@ -46198,7 +46198,7 @@
                   <p>automated mechanisms supporting and/or implementing the capability to measure the bandwidth of covert channels</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-32">
          <title>Information System Partitioning</title>
@@ -46353,7 +46353,7 @@
                <p>automated mechanisms supporting and/or implementing loading and executing applications from hardware-enforced, read-only media</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-34.1">
+         <control class="SP800-53-enhancement" id="sc-34.1">
             <title>No Writable Storage</title>
             <param id="sc-34.1_prm_1">
                <label>organization-defined information system components</label>
@@ -46407,8 +46407,8 @@
                   <p>automated mechanisms supporting and/or implementing persistent non-writeable storage across component restart and power on/off</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-34.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-34.2">
             <title>Integrity Protection / Read-only Media</title>
             <prop name="label">SC-34(2)</prop>
             <part id="sc-34.2_smt" name="statement">
@@ -46465,8 +46465,8 @@
                   <p>Automated mechanisms supporting and/or implementing capability for protecting information integrity on read-only media prior to storage and after information has been recorded onto the media</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-34.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-34.3">
             <title>Hardware-based Protection</title>
             <param id="sc-34.3_prm_1">
                <label>organization-defined information system firmware components</label>
@@ -46541,7 +46541,7 @@
                   <p>automated mechanisms supporting and/or implementing hardware-based, write-protection for firmware</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-35">
          <title>Honeyclients</title>
@@ -46646,7 +46646,7 @@
                <p>automated mechanisms supporting and/or implementing capability for distributing processing and storage across multiple physical locations</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-36.1">
+         <control class="SP800-53-enhancement" id="sc-36.1">
             <title>Polling Techniques</title>
             <param id="sc-36.1_prm_1">
                <label>organization-defined distributed processing and storage components</label>
@@ -46698,7 +46698,7 @@
                   <p>Automated mechanisms supporting and/or implementing polling techniques</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-37">
          <title>Out-of-band Channels</title>
@@ -46783,7 +46783,7 @@
                <p>automated mechanisms supporting and/or implementing use of out-of-band channels</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-37.1">
+         <control class="SP800-53-enhancement" id="sc-37.1">
             <title>Ensure Delivery / Transmission</title>
             <param id="sc-37.1_prm_1">
                <label>organization-defined security safeguards</label>
@@ -46855,7 +46855,7 @@
                   <p>automated mechanisms supporting/implementing safeguards to ensure delivery of designated information, system components, or devices</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-38">
          <title>Operations Security</title>
@@ -46957,7 +46957,7 @@
                <p>Automated mechanisms supporting and/or implementing separate execution domains for each executing process</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-39.1">
+         <control class="SP800-53-enhancement" id="sc-39.1">
             <title>Hardware Separation</title>
             <prop name="label">SC-39(1)</prop>
             <part id="sc-39.1_smt" name="statement">
@@ -46998,8 +46998,8 @@
                   <p>Information system capability implementing underlying hardware separation mechanisms for process separation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-39.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-39.2">
             <title>Thread Isolation</title>
             <param id="sc-39.2_prm_1">
                <label>organization-defined multi-threaded processing</label>
@@ -47049,7 +47049,7 @@
                   <p>Information system capability implementing a separate execution domain for each thread in multi-threaded processing</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-40">
          <title>Wireless Link Protection</title>
@@ -47123,7 +47123,7 @@
                <p>Automated mechanisms supporting and/or implementing protection of wireless links</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-40.1">
+         <control class="SP800-53-enhancement" id="sc-40.1">
             <title>Electromagnetic Interference</title>
             <param id="sc-40.1_prm_1">
                <label>organization-defined level of protection</label>
@@ -47180,8 +47180,8 @@
                   <p>Cryptographic mechanisms enforcing protections against effects of intentional electromagnetic interference</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-40.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-40.2">
             <title>Reduce Detection Potential</title>
             <param id="sc-40.2_prm_1">
                <label>organization-defined level of reduction</label>
@@ -47238,8 +47238,8 @@
                   <p>Cryptographic mechanisms enforcing protections to reduce detection of wireless links</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-40.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-40.3">
             <title>Imitative or Manipulative Communications Deception</title>
             <prop name="label">SC-40(3)</prop>
             <part id="sc-40.3_smt" name="statement">
@@ -47291,8 +47291,8 @@
                   <p>Cryptographic mechanisms enforcing wireless link protections against imitative or manipulative communications deception</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-40.4">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-40.4">
             <title>Signal Parameter Identification</title>
             <param id="sc-40.4_prm_1">
                <label>organization-defined wireless transmitters</label>
@@ -47347,7 +47347,7 @@
                   <p>Cryptographic mechanisms preventing the identification of wireless transmitters</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-41">
          <title>Port and I/O Device Access</title>
@@ -47484,7 +47484,7 @@
                <p>automated mechanisms implementing capability to indicate sensor use</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="sc-42.1">
+         <control class="SP800-53-enhancement" id="sc-42.1">
             <title>Reporting to Authorized Individuals or Roles</title>
             <param id="sc-42.1_prm_1">
                <label>organization-defined sensors</label>
@@ -47537,8 +47537,8 @@
                   <p>sensor data collection and reporting capability for the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-42.2">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-42.2">
             <title>Authorized Use</title>
             <param id="sc-42.2_prm_1">
                <label>organization-defined measures</label>
@@ -47598,8 +47598,8 @@
                   <p>sensor information collection capability for the information system</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="sc-42.3">
+         </control>
+         <control class="SP800-53-enhancement" id="sc-42.3">
             <title>Prohibit Use of Devices</title>
             <param id="sc-42.3_prm_1">
                <label>organization-defined environmental sensing capabilities</label>
@@ -47653,7 +47653,7 @@
                   <p>organizational personnel with responsibility for sensor capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="sc-43">
          <title>Usage Restrictions</title>
@@ -48073,7 +48073,7 @@
                <p>automated mechanisms supporting and/or implementing testing software and firmware updates</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-2.1">
+         <control class="SP800-53-enhancement" id="si-2.1">
             <title>Central Management</title>
             <prop name="label">SI-2(1)</prop>
             <part id="si-2.1_smt" name="statement">
@@ -48113,8 +48113,8 @@
                   <p>automated mechanisms supporting and/or implementing central management of the flaw remediation process</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-2.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-2.2">
             <title>Automated Flaw Remediation Status</title>
             <param id="si-2.2_prm_1">
                <label>organization-defined frequency</label>
@@ -48165,8 +48165,8 @@
                   <p>Automated mechanisms used to determine the state of information system components with regard to flaw remediation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-2.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-2.3">
             <title>Time to Remediate Flaws / Benchmarks for Corrective Actions</title>
             <param id="si-2.3_prm_1">
                <label>organization-defined benchmarks</label>
@@ -48234,14 +48234,14 @@
                   <p>automated mechanisms used to measure the time between flaw identification and flaw remediation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-2.4">
+         </control>
+         <control class="SP800-53-enhancement" id="si-2.4">
             <title>Automated Patch Management Tools</title>
             <prop name="label">SI-2(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-2">SI-2</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-2.5">
+         </control>
+         <control class="SP800-53-enhancement" id="si-2.5">
             <title>Automatic Software / Firmware Updates</title>
             <param id="si-2.5_prm_1">
                <label>organization-defined security-relevant software and firmware updates</label>
@@ -48320,8 +48320,8 @@
                   <p>Automated mechanisms implementing automatic software/firmware updates</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-2.6">
+         </control>
+         <control class="SP800-53-enhancement" id="si-2.6">
             <title>Removal of Previous Versions of Software / Firmware</title>
             <param id="si-2.6_prm_1">
                <label>organization-defined software and firmware components</label>
@@ -48386,7 +48386,7 @@
                   <p>Automated mechanisms supporting and/or implementing removal of previous versions of software/firmware</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-3">
          <title>Malicious Code Protection</title>
@@ -48565,7 +48565,7 @@
                <p>automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-3.1">
+         <control class="SP800-53-enhancement" id="si-3.1">
             <title>Central Management</title>
             <prop name="label">SI-3(1)</prop>
             <part id="si-3.1_smt" name="statement">
@@ -48607,8 +48607,8 @@
                   <p>automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.2">
             <title>Automatic Updates</title>
             <prop name="label">SI-3(2)</prop>
             <part id="si-3.2_smt" name="statement">
@@ -48649,14 +48649,14 @@
                   <p>Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.3">
             <title>Non-privileged Users</title>
             <prop name="label">SI-3(3)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-6.10">AC-6 (10)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.4">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.4">
             <title>Updates Only by Privileged Users</title>
             <prop name="label">SI-3(4)</prop>
             <part id="si-3.4_smt" name="statement">
@@ -48699,14 +48699,14 @@
                   <p>Automated mechanisms supporting and/or implementing malicious code protection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.5">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.5">
             <title>Portable Storage Devices</title>
             <prop name="label">SI-3(5)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.6">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.6">
             <title>Testing / Verification</title>
             <param id="si-3.6_prm_1">
                <label>organization-defined frequency</label>
@@ -48783,8 +48783,8 @@
                   <p>Automated mechanisms supporting and/or implementing testing and verification of malicious code protection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.7">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.7">
             <title>Nonsignature-based Detection</title>
             <prop name="label">SI-3(7)</prop>
             <part id="si-3.7_smt" name="statement">
@@ -48825,8 +48825,8 @@
                   <p>Automated mechanisms supporting and/or implementing nonsignature-based malicious code protection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.8">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.8">
             <title>Detect Unauthorized Commands</title>
             <param id="si-3.8_prm_1">
                <label>organization-defined unauthorized operating system commands</label>
@@ -48906,8 +48906,8 @@
                   <p>automated mechanisms supporting and/or implementing detection of unauthorized operating system commands through the kernel application programming interface</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.9">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.9">
             <title>Authenticate Remote Commands</title>
             <param id="si-3.9_prm_1">
                <label>organization-defined security safeguards</label>
@@ -48971,8 +48971,8 @@
                   <p>automated mechanisms supporting and/or implementing security safeguards to authenticate remote commands</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-3.10">
+         </control>
+         <control class="SP800-53-enhancement" id="si-3.10">
             <title>Malicious Code Analysis</title>
             <param id="si-3.10_prm_1">
                <label>organization-defined tools and techniques</label>
@@ -49048,7 +49048,7 @@
                   <p>tools and techniques for analysis of malicious code characteristics and behavior</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-4">
          <title>Information System Monitoring</title>
@@ -49292,7 +49292,7 @@
                <p>automated mechanisms supporting and/or implementing information system monitoring capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-4.1">
+         <control class="SP800-53-enhancement" id="si-4.1">
             <title>System-wide Intrusion Detection System</title>
             <prop name="label">SI-4(1)</prop>
             <part id="si-4.1_smt" name="statement">
@@ -49338,8 +49338,8 @@
                   <p>automated mechanisms supporting and/or implementing intrusion detection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.2">
             <title>Automated Tools for Real-time Analysis</title>
             <prop name="label">SI-4(2)</prop>
             <part id="si-4.2_smt" name="statement">
@@ -49382,8 +49382,8 @@
                   <p>automated mechanisms/tools supporting and/or implementing analysis of events</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.3">
             <title>Automated Tool Integration</title>
             <prop name="label">SI-4(3)</prop>
             <part id="si-4.3_smt" name="statement">
@@ -49432,8 +49432,8 @@
                   <p>automated mechanisms/tools supporting and/or implementing integration of intrusion detection tools into access/flow control mechanisms</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.4">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.4">
             <title>Inbound and Outbound Communications Traffic</title>
             <param id="si-4.4_prm_1">
                <label>organization-defined frequency</label>
@@ -49503,8 +49503,8 @@
                   <p>automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.5">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.5">
             <title>System-generated Alerts</title>
             <param id="si-4.5_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -49567,14 +49567,14 @@
                   <p>automated mechanisms supporting and/or implementing alerts for compromise indicators</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.6">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.6">
             <title>Restrict Non-privileged Users</title>
             <prop name="label">SI-4(6)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#ac-6.10">AC-6 (10)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.7">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.7">
             <title>Automated Response to Suspicious Events</title>
             <param id="si-4.7_prm_1">
                <label>organization-defined incident response personnel (identified by name and/or by role)</label>
@@ -49642,14 +49642,14 @@
                   <p>automated mechanisms supporting and/or implementing actions to terminate suspicious events</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.8">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.8">
             <title>Protection of Monitoring Information</title>
             <prop name="label">SI-4(8)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.9">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.9">
             <title>Testing of Monitoring Tools</title>
             <param id="si-4.9_prm_1">
                <label>organization-defined frequency</label>
@@ -49700,8 +49700,8 @@
                   <p>automated mechanisms supporting and/or implementing testing of intrusion-monitoring tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.10">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.10">
             <title>Visibility of Encrypted Communications</title>
             <param id="si-4.10_prm_1">
                <label>organization-defined encrypted communications traffic</label>
@@ -49761,8 +49761,8 @@
                   <p>automated mechanisms supporting and/or implementing visibility of encrypted communications traffic to monitoring tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.11">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.11">
             <title>Analyze Communications Traffic Anomalies</title>
             <param id="si-4.11_prm_1">
                <label>organization-defined interior points within the system (e.g., subnetworks, subsystems)</label>
@@ -49825,8 +49825,8 @@
                   <p>automated mechanisms supporting and/or implementing analysis of communications traffic</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.12">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.12">
             <title>Automated Alerts</title>
             <param id="si-4.12_prm_1">
                <label>organization-defined activities that trigger alerts</label>
@@ -49885,8 +49885,8 @@
                   <p>automated mechanisms supporting and/or implementing automated alerts to security personnel</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.13">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.13">
             <title>Analyze Traffic / Event Patterns</title>
             <prop name="label">SI-4(13)</prop>
             <part id="si-4.13_smt" name="statement">
@@ -49954,8 +49954,8 @@
                   <p>automated mechanisms supporting and/or implementing analysis of communications traffic/event patterns</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.14">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.14">
             <title>Wireless Intrusion Detection</title>
             <prop name="label">SI-4(14)</prop>
             <part id="si-4.14_smt" name="statement">
@@ -50011,8 +50011,8 @@
                   <p>automated mechanisms supporting and/or implementing wireless intrusion detection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.15">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.15">
             <title>Wireless to Wireline Communications</title>
             <prop name="label">SI-4(15)</prop>
             <part id="si-4.15_smt" name="statement">
@@ -50055,8 +50055,8 @@
                   <p>automated mechanisms supporting and/or implementing wireless intrusion detection capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.16">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.16">
             <title>Correlate Monitoring Information</title>
             <prop name="label">SI-4(16)</prop>
             <part id="si-4.16_smt" name="statement">
@@ -50100,8 +50100,8 @@
                   <p>automated mechanisms supporting and/or implementing correlation of information from monitoring tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.17">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.17">
             <title>Integrated Situational Awareness</title>
             <prop name="label">SI-4(17)</prop>
             <part id="si-4.17_smt" name="statement">
@@ -50157,8 +50157,8 @@
                   <p>automated mechanisms supporting and/or implementing correlation of information from monitoring tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.18">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.18">
             <title>Analyze Traffic / Covert Exfiltration</title>
             <param id="si-4.18_prm_1">
                <label>organization-defined interior points within the system (e.g., subsystems, subnetworks)</label>
@@ -50221,8 +50221,8 @@
                   <p>automated mechanisms supporting and/or implementing analysis of outbound communications traffic</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.19">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.19">
             <title>Individuals Posing Greater Risk</title>
             <param id="si-4.19_prm_1">
                <label>organization-defined additional monitoring</label>
@@ -50281,8 +50281,8 @@
                   <p>automated mechanisms supporting and/or implementing system monitoring capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.20">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.20">
             <title>Privileged Users</title>
             <param id="si-4.20_prm_1">
                <label>organization-defined additional monitoring</label>
@@ -50332,8 +50332,8 @@
                   <p>automated mechanisms supporting and/or implementing system monitoring capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.21">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.21">
             <title>Probationary Periods</title>
             <param id="si-4.21_prm_1">
                <label>organization-defined additional monitoring</label>
@@ -50389,8 +50389,8 @@
                   <p>automated mechanisms supporting and/or implementing system monitoring capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.22">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.22">
             <title>Unauthorized Network Services</title>
             <param id="si-4.22_prm_1">
                <label>organization-defined authorization or approval processes</label>
@@ -50472,8 +50472,8 @@
                   <p>automated mechanisms for providing alerts</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.23">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.23">
             <title>Host-based Devices</title>
             <param id="si-4.23_prm_1">
                <label>organization-defined host-based monitoring mechanisms</label>
@@ -50534,8 +50534,8 @@
                   <p>automated mechanisms supporting and/or implementing host-based monitoring capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-4.24">
+         </control>
+         <control class="SP800-53-enhancement" id="si-4.24">
             <title>Indicators of Compromise</title>
             <prop name="label">SI-4(24)</prop>
             <part id="si-4.24_smt" name="statement">
@@ -50595,7 +50595,7 @@
                   <p>automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-5">
          <title>Security Alerts, Advisories, and Directives</title>
@@ -50730,7 +50730,7 @@
                <p>automated mechanisms supporting and/or implementing security directives</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-5.1">
+         <control class="SP800-53-enhancement" id="si-5.1">
             <title>Automated Alerts and Advisories</title>
             <prop name="label">SI-5(1)</prop>
             <part id="si-5.1_smt" name="statement">
@@ -50772,7 +50772,7 @@
                   <p>automated mechanisms supporting and/or implementing dissemination of security alerts and advisories</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-6">
          <title>Security Function Verification</title>
@@ -50935,13 +50935,13 @@
                <p>automated mechanisms supporting and/or implementing security function verification capability</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-6.1">
+         <control class="SP800-53-enhancement" id="si-6.1">
             <title>Notification of Failed Security Tests</title>
             <prop name="label">SI-6(1)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-6">SI-6</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-6.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-6.2">
             <title>Automation Support for Distributed Testing</title>
             <prop name="label">SI-6(2)</prop>
             <part id="si-6.2_smt" name="statement">
@@ -50980,8 +50980,8 @@
                   <p>automated mechanisms supporting and/or implementing the management of distributed security testing</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-6.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-6.3">
             <title>Report Verification Results</title>
             <param id="si-6.3_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -51033,7 +51033,7 @@
                   <p>automated mechanisms supporting and/or implementing the reporting of security function verification results</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-7">
          <title>Software, Firmware, and Information Integrity</title>
@@ -51114,7 +51114,7 @@
                <p>Software, firmware, and information integrity verification tools</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-7.1">
+         <control class="SP800-53-enhancement" id="si-7.1">
             <title>Integrity Checks</title>
             <param id="si-7.1_prm_1">
                <label>organization-defined software, firmware, and information</label>
@@ -51233,8 +51233,8 @@
                   <p>Software, firmware, and information integrity verification tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.2">
             <title>Automated Notifications of Integrity Violations</title>
             <param id="si-7.2_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -51286,8 +51286,8 @@
                   <p>automated mechanisms providing integrity discrepancy notifications</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.3">
             <title>Centrally-managed Integrity Tools</title>
             <prop name="label">SI-7(3)</prop>
             <part id="si-7.3_smt" name="statement">
@@ -51326,14 +51326,14 @@
                   <p>Automated mechanisms supporting and/or implementing central management of integrity verification tools</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.4">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.4">
             <title>Tamper-evident Packaging</title>
             <prop name="label">SI-7(4)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#sa-12">SA-12</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.5">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.5">
             <title>Automated Response to Integrity Violations</title>
             <param id="si-7.5_prm_1">
                <select how-many="one or more">
@@ -51406,8 +51406,8 @@
                   <p>automated mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.6">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.6">
             <title>Cryptographic Protection</title>
             <prop name="label">SI-7(6)</prop>
             <part id="si-7.6_smt" name="statement">
@@ -51461,8 +51461,8 @@
                   <p>cryptographic mechanisms implementing software, firmware, and information integrity</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.7">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.7">
             <title>Integration of Detection and Response</title>
             <param id="si-7.7_prm_1">
                <label>organization-defined security-relevant changes to the information system</label>
@@ -51517,8 +51517,8 @@
                   <p>automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.8">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.8">
             <title>Auditing Capability for Significant Events</title>
             <param id="si-7.8_prm_1">
                <select how-many="one or more">
@@ -51614,8 +51614,8 @@
                   <p>automated mechanisms supporting and/or implementing alerts about potential integrity violations</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.9">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.9">
             <title>Verify Boot Process</title>
             <param id="si-7.9_prm_1">
                <label>organization-defined devices</label>
@@ -51667,8 +51667,8 @@
                   <p>automated mechanisms supporting and/or implementing integrity verification of the boot process</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.10">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.10">
             <title>Protection of Boot Firmware</title>
             <param id="si-7.10_prm_1">
                <label>organization-defined security safeguards</label>
@@ -51728,8 +51728,8 @@
                   <p>safeguards implementing protection of the integrity of boot firmware</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.11">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.11">
             <title>Confined Environments with Limited Privileges</title>
             <param id="si-7.11_prm_1">
                <label>organization-defined user-installed software</label>
@@ -51778,8 +51778,8 @@
                   <p>automated mechanisms supporting and/or implementing limited privileges in the confined environment</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.12">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.12">
             <title>Integrity Verification</title>
             <param id="si-7.12_prm_1">
                <label>organization-defined user-installed software</label>
@@ -51828,8 +51828,8 @@
                   <p>automated mechanisms supporting and/or implementing verification of the integrity of user-installed software prior to execution</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.13">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.13">
             <title>Code Execution in Protected Environments</title>
             <param id="si-7.13_prm_1">
                <label>organization-defined personnel or roles</label>
@@ -51888,8 +51888,8 @@
                   <p>automated mechanisms supporting and/or implementing approvals for execution of binary or machine-executable code</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.14">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.14">
             <title>Binary or Machine Executable Code</title>
             <prop name="label">SI-7(14)</prop>
             <part id="si-7.14_smt" name="statement">
@@ -51962,8 +51962,8 @@
                   <p>Automated mechanisms supporting and/or implementing prohibition of the execution of binary or machine-executable code</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.15">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.15">
             <title>Code Authentication</title>
             <param id="si-7.15_prm_1">
                <label>organization-defined software or firmware components</label>
@@ -52027,8 +52027,8 @@
                   <p>Cryptographic mechanisms authenticating software/firmware prior to installation</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-7.16">
+         </control>
+         <control class="SP800-53-enhancement" id="si-7.16">
             <title>Time Limit On Process Execution w/o Supervision</title>
             <param id="si-7.16_prm_1">
                <label>organization-defined time period</label>
@@ -52078,7 +52078,7 @@
                   <p>automated mechanisms supporting and/or implementing time limits on process execution without supervision</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-8">
          <title>Spam Protection</title>
@@ -52160,7 +52160,7 @@
                <p>automated mechanisms supporting and/or implementing spam protection</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-8.1">
+         <control class="SP800-53-enhancement" id="si-8.1">
             <title>Central Management</title>
             <prop name="label">SI-8(1)</prop>
             <part id="si-8.1_smt" name="statement">
@@ -52202,8 +52202,8 @@
                   <p>automated mechanisms supporting and/or implementing central management of spam protection</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-8.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-8.2">
             <title>Automatic Updates</title>
             <prop name="label">SI-8(2)</prop>
             <part id="si-8.2_smt" name="statement">
@@ -52241,8 +52241,8 @@
                   <p>automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-8.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-8.3">
             <title>Continuous Learning Capability</title>
             <prop name="label">SI-8(3)</prop>
             <part id="si-8.3_smt" name="statement">
@@ -52282,7 +52282,7 @@
                   <p>automated mechanisms supporting and/or implementing spam protection mechanisms with a learning capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-9">
          <title>Information Input Restrictions</title>
@@ -52346,7 +52346,7 @@
                <p>Automated mechanisms supporting and/or implementing validity checks on information inputs</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-10.1">
+         <control class="SP800-53-enhancement" id="si-10.1">
             <title>Manual Override Capability</title>
             <param id="si-10.1_prm_1">
                <label>organization-defined inputs</label>
@@ -52436,8 +52436,8 @@
                   <p>automated mechanisms supporting and/or implementing auditing of the use of manual override capability</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-10.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-10.2">
             <title>Review / Resolution of Errors</title>
             <param id="si-10.2_prm_1">
                <label>organization-defined time period</label>
@@ -52490,8 +52490,8 @@
                   <p>automated mechanisms supporting and/or implementing review and resolution of input validation errors</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-10.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-10.3">
             <title>Predictable Behavior</title>
             <prop name="label">SI-10(3)</prop>
             <part id="si-10.3_smt" name="statement">
@@ -52529,8 +52529,8 @@
                   <p>Automated mechanisms supporting and/or implementing predictable behavior when invalid inputs are received</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-10.4">
+         </control>
+         <control class="SP800-53-enhancement" id="si-10.4">
             <title>Review / Timing Interactions</title>
             <prop name="label">SI-10(4)</prop>
             <part id="si-10.4_smt" name="statement">
@@ -52569,8 +52569,8 @@
                   <p>automated mechanisms supporting and/or implementing responses to invalid inputs</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-10.5">
+         </control>
+         <control class="SP800-53-enhancement" id="si-10.5">
             <title>Restrict Inputs to Trusted Sources and Approved Formats</title>
             <param id="si-10.5_prm_1">
                <label>organization-defined trusted sources</label>
@@ -52637,7 +52637,7 @@
                   <p>automated mechanisms supporting and/or implementing restriction of information inputs</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-11">
          <title>Error Handling</title>
@@ -52850,7 +52850,7 @@
                <p>Organizational processes for managing MTTF</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-13.1">
+         <control class="SP800-53-enhancement" id="si-13.1">
             <title>Transferring Component Responsibilities</title>
             <param id="si-13.1_prm_1">
                <label>organization-defined fraction or percentage</label>
@@ -52897,14 +52897,14 @@
                   <p>automated mechanisms supporting and/or implementing transfer of component responsibilities to substitute components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-13.2">
+         </control>
+         <control class="SP800-53-enhancement" id="si-13.2">
             <title>Time Limit On Process Execution Without Supervision</title>
             <prop name="label">SI-13(2)</prop>
             <prop name="status">Withdrawn</prop>
             <link rel="incorporated-into" href="#si-7.16">SI-7 (16)</link>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-13.3">
+         </control>
+         <control class="SP800-53-enhancement" id="si-13.3">
             <title>Manual Transfer Between Components</title>
             <param id="si-13.3_prm_1">
                <label>organization-defined frequency</label>
@@ -52957,8 +52957,8 @@
                   <p>Organizational processes for managing MTTF and conducting the manual transfer between active and standby components</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-13.4">
+         </control>
+         <control class="SP800-53-enhancement" id="si-13.4">
             <title>Standby Component Installation / Notification</title>
             <param id="si-13.4_prm_1">
                <label>organization-defined time period</label>
@@ -53051,8 +53051,8 @@
                   <p>automated mechanisms supporting and/or implementing alarms or system shutdown if component failures are detected</p>
                </part>
             </part>
-         </subcontrol>
-         <subcontrol class="SP800-53-enhancement" id="si-13.5">
+         </control>
+         <control class="SP800-53-enhancement" id="si-13.5">
             <title>Failover Capability</title>
             <param id="si-13.5_prm_1">
                <select>
@@ -53117,7 +53117,7 @@
                   <p>automated mechanisms supporting and/or implementing failover capability</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-14">
          <title>Non-persistence</title>
@@ -53194,7 +53194,7 @@
                <p>Automated mechanisms supporting and/or implementing initiation and termination of non-persistent components</p>
             </part>
          </part>
-         <subcontrol class="SP800-53-enhancement" id="si-14.1">
+         <control class="SP800-53-enhancement" id="si-14.1">
             <title>Refresh from Trusted Sources</title>
             <param id="si-14.1_prm_1">
                <label>organization-defined trusted sources</label>
@@ -53242,7 +53242,7 @@
                   <p>automated mechanisms supporting and/or implementing component and service refreshes</p>
                </part>
             </part>
-         </subcontrol>
+         </control>
       </control>
       <control class="SP800-53" id="si-15">
          <title>Information Output Filtering</title>
diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml
index 69d7596981..8bdb628826 100644
--- a/src/metaschema/oscal_catalog_metaschema.xml
+++ b/src/metaschema/oscal_catalog_metaschema.xml
@@ -16,6 +16,7 @@
    <remarks>
       <p>The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements (subcontrols), along with contextualizing documentation and metadata. The root of the Control Catalog format is <code>catalog</code>.</p>
    </remarks>
+   <import href="oscal_control_common_metaschema.xml"/>
    <import href="oscal_metadata_metaschema.xml"/>
    <define-assembly name="catalog">
       <formal-name>Catalog</formal-name>
@@ -53,11 +54,7 @@
          </catalog>
       </example>
    </define-assembly>
-   <!--<define-field name="declarations" as="empty">
-    <flag name="href" datatype="anyURI"/>
-    <formal-name>Declarations</formal-name>
-    <description>Either a reference to a declarations file, or a set of declarations</description>
-  </define-field>-->
+   
    <define-assembly name="group">
       <formal-name>Control Group</formal-name>
       <description>A group of controls, or of groups of controls.</description>
@@ -82,7 +79,6 @@
                <group-as name="controls"/>
             </assembly>
          </choice>
-         <!--<assembly named="ref-list"/>-->
          <any/>
       </model>
       <remarks>
@@ -99,6 +95,7 @@
          </group>
       </example>
    </define-assembly>
+   
    <define-assembly name="control">
       <formal-name>Control</formal-name>
       <description>A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.</description>
@@ -119,8 +116,8 @@
          <assembly ref="part" max-occurs="unbounded">
             <group-as name="parts"/>
          </assembly>
-         <assembly ref="subcontrol" max-occurs="unbounded">
-            <group-as name="subcontrols"/>
+         <assembly ref="control" max-occurs="unbounded">
+            <group-as name="controls"/>
          </assembly>
          <!--<assembly named="ref-list"/>-->
          <any/>
@@ -135,177 +132,5 @@
          </control>
       </example>
    </define-assembly>
-   <define-assembly name="subcontrol">
-      <formal-name>Sub-Control</formal-name>
-      <description>A control extension or enhancement</description>
-      <flag ref="id" required="yes"/>
-      <flag ref="class"/>
-      <model>
-         <field ref="title" min-occurs="1"/>
-         <assembly ref="param" max-occurs="unbounded">
-            <group-as name="parameters"/>
-         </assembly>
-         <field ref="prop" max-occurs="unbounded">
-            <group-as name="properties"/></field>
-         <field ref="link" max-occurs="unbounded">
-            <group-as name="links"/>
-         </field>
-         <assembly ref="part" max-occurs="unbounded">
-            <group-as name="parts"/>
-         </assembly>
-         <!--<assembly named="ref-list"/>-->
-         <any/>
-      </model>
-   </define-assembly>
-   <!-- See metadata model for 'prop' element -->
-   <define-assembly name="param">
-      <formal-name>Parameter</formal-name>
-      <description>Parameters provide a mechanism for the dynamic assignment of value(s) in a control.</description>
-      <flag ref="id" required="yes"/>
-      <flag ref="class"/>
-      <flag ref="depends-on"/>
-      <model>
-         <field ref="label">
-            <description>A short name for the parameter.</description>
-            <remarks>
-               <p>The label value should be suitable for inline display in a rendered catalog.</p>
-            </remarks>
-         </field>
-         <field ref="usage" max-occurs="unbounded">
-            <group-as name="descriptions"/>
-         </field>
-         <field ref="constraint" max-occurs="unbounded">
-            <group-as name="constraints"/>
-         </field>
-         <assembly ref="guideline" max-occurs="unbounded">
-            <group-as name="guidance"/>
-         </assembly>
-         <choice>
-            <field ref="value">
-               <description>A recommended parameter value or set of values.</description>
-               <remarks>
-                  <p>A value provided in a catalog can be redefined at any higher layer of OSCAL (e.g., Profile).</p>
-               </remarks>
-            </field>
-            <assembly ref="select">
-               <description>A set of parameter value choices, that may be picked from to set the parameter value.</description>
-               <remarks>
-                  <p>.</p>
-               </remarks>
-            </assembly>
-         </choice>
-         <field ref="link" max-occurs="unbounded">
-            <group-as name="links"/>
-         </field>
-         <any/>
-      </model>
-      <remarks>
-         <p>In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The <code>value</code> may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.</p>
-         <p>A parameter can include a variety of metadata options that support the future solicitation of one or more values. A <code>label</code> provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The <code>desc</code> provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A <code>constraint</code> can be used to provide criteria for the allowed values. A <code>guideline</code> provides a recommendation for the use of a parameter.</p>
-      </remarks>
-   </define-assembly>
-   <define-field name="label" as-type="markup-line">
-      <formal-name>Parameter label</formal-name>
-      <description>A placeholder for a missing value, in display.</description>
-   </define-field>
-   <!-- @has-id = none on fields, when there are no attributes, permits
-     us to produce a string (not an object) on the JSON side. -->
-   <define-field name="usage" as-type="markup-line">
-      <formal-name>Parameter description</formal-name>
-      <description>Indicates and explains the purpose and use of a parameter</description>
-      <flag ref="id"/>
-   </define-field>
-   <define-field name="constraint">
-      <formal-name>Constraint</formal-name>
-      <description>A formal or informal expression of a constraint or test</description>
-      <flag ref="test"/>
-   </define-field>
-   <define-assembly name="guideline">
-      <formal-name>Guideline</formal-name>
-      <description>A prose statement that provides a recommendation for the use of a parameter.</description>
-      <model>
-         <field ref="prose"/>
-         <any/>
-      </model>
-   </define-assembly>
-   <define-field name="value" as-type="markup-line">
-      <formal-name>Value constraint</formal-name>
-      <description>Indicates a permissible value for a parameter or property</description>
-      <remarks>
-         <p>In a declaration, <code>value</code> will commonly be given in groups, indicating a set of
-        enumerated permissible values (i.e., for an element to be valid to a value constraint, it
-        must equal one of the given values).</p>
-         <p>In a parameter, a value represents a value assignment to the parameter, overriding any
-        value given at the point of insertion. When parameters are provided in OSCAL profiles, their
-        values will override any values assigned <q>lower down the stack</q>.</p>
-      </remarks>
-   </define-field>
-   <define-assembly name="select">
-      <formal-name>Selection</formal-name>
-      <description>Presenting a choice among alternatives</description>
-      <flag ref="how-many"/>
-      <model>
-         <field ref="choice" max-occurs="unbounded">
-            <group-as name="alternatives"/>
-         </field>
-         <any/>
-      </model>
-   </define-assembly>
-   <define-field name="choice" as-type="markup-line">
-      <formal-name>Choice</formal-name>
-      <description>A value selection among several such options</description>
-   </define-field>
-   <define-assembly name="part">
-      <formal-name>Part</formal-name>
-      <description>A partition or component of a control, subcontrol or part</description>
-      <flag ref="id"/>
-      <flag ref="name" required="yes"/>
-      <flag ref="ns"/>
-      <flag ref="class"/>
-      <model>
-         <field ref="title"/>
-         <field ref="prop" max-occurs="unbounded">
-            <group-as name="properties"/>
-         </field>
-         <field ref="prose"/>
-         <assembly ref="part" max-occurs="unbounded">
-            <group-as name="parts"/>
-         </assembly>
-         <field ref="link" max-occurs="unbounded">
-            <group-as name="links"/>
-         </field>
-         <any/>
-      </model>
-      <remarks>
-         <p>A <code>part</code> provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A <code>part</code> can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A <code>part</code> can contain <code>prop</code> objects that allow for enriching prose text with structured name/value information.</p>
-         <p>A <code>part</code> can be assigned an optional <code>id</code>&gt;, which allows for internal and external references to the textual concept contained within a <code>part</code>. A <code>id</code> provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a <code>catalog</code>. For example, an <code>id</code> can be used to reference or to make modifications to a control statement in a profile.</p>
-         <p>Use of <code>part</code> and <code>prop</code> provides for a wide degree of extensibility within the OSCAL catalog model. The optional <code>ns</code> provides a means to qualify a part's <code>name</code>, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a <code>ns</code> value that represents the organization, making a given namespace qualified <code>name</code> unique to that organization. This allows the combination of <code>ns</code> and <code>name</code> to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no <code>ns</code> is provided, the name is expected to be in the "OSCAL" namespace.</p>
-         <p>To ensure a <code>ns</code> is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the <code>ns</code> "https://fedramp.gov", while DoD will use the <code>ns</code> "https://defense.gov" for any organization specific <code>name</code>.</p>
-         <p>Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL-compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.</p>
-      </remarks>
-      <example>
-         <description>Multiple Parts with Different Organization-Specific Names</description>
-         <o:part name="statement" id="statement-A">
-            <o:part ns="https://fedramp.gov" name="status" id="statement-A-FedRAMP">Something FedRAMP Cares About</o:part>
-            <o:part ns="https://defense.gov" name="status" id="statement-A-DoD">Something DoD Cares About</o:part>
-         </o:part>
-      </example>
-   </define-assembly>
-   <define-flag name="test" as-type="string">
-      <formal-name>Constraint test</formal-name>
-      <description>A formal (executable) expression of a constraint</description>
-   </define-flag>
-   <define-flag name="how-many" as-type="string">
-      <formal-name>Cardinality</formal-name>
-      <description>When selecting, a requirement such as one or more</description>
-   </define-flag>
-   <define-flag name="depends-on" as-type="IDREF">
-      <formal-name>Depends on</formal-name>
-      <description>Another parameter invoking this one</description>
-   </define-flag>
-   <define-field name="prose" as-type="markup-multiline">
-      <!-- TODO: remove this field -->
-      <formal-name>Prose</formal-name>
-      <description>Prose permits multiple paragraphs, lists, tables etc.</description>
-   </define-field>
+
 </METASCHEMA>
diff --git a/src/metaschema/oscal_control_common_metaschema.xml b/src/metaschema/oscal_control_common_metaschema.xml
new file mode 100644
index 0000000000..fc783676c6
--- /dev/null
+++ b/src/metaschema/oscal_control_common_metaschema.xml
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- OSCAL CATALOG METASCHEMA -->
+<!-- validate with XSD and Schematron (linked) -->
+<?xml-model href="../../build/metaschema/lib/metaschema-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<?xml-stylesheet type="text/xsl" href="metaschema-browser.xsl"?>
+<?xml-stylesheet type="text/css" href="../../build/metaschema/lib/metaschema-author.css"?>
+<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+            xmlns:o="http://csrc.nist.gov/ns/oscal/example"
+            xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema/lib/metaschema.xsd"
+            root="nominal-catalog">
+   <schema-name>OSCAL Control Catalog Format -- Common Models</schema-name>
+   <schema-version>1.0.0-milestone2</schema-version>
+   <short-name>oscal-catalog-common</short-name>
+   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
+   
+   <import href="oscal_metadata_metaschema.xml"/>
+   
+   <define-assembly name="nominal-catalog">
+      <formal-name>Nominal catalog</formal-name>
+      <description>NOT TO BE USED FOR A BASE METASCHEMA ONLY FOR A MODULE</description>
+      <!--<flag ref="id" required="yes"/>-->
+      <model>
+         <assembly ref="param"/>
+         <assembly ref="part"/>
+      </model>
+   </define-assembly>
+   
+   <define-assembly name="param">
+      <formal-name>Parameter</formal-name>
+      <description>Parameters provide a mechanism for the dynamic assignment of value(s) in a control.</description>
+      <flag ref="id" required="yes"/>
+      <flag ref="class"/>
+      <flag ref="depends-on"/>
+      <model>
+         <field ref="label">
+            <description>A short name for the parameter.</description>
+            <remarks>
+               <p>The label value should be suitable for inline display in a rendered catalog.</p>
+            </remarks>
+         </field>
+         <field ref="usage" max-occurs="unbounded">
+            <group-as name="descriptions"/>
+         </field>
+         <field ref="constraint" max-occurs="unbounded">
+            <group-as name="constraints"/>
+         </field>
+         <assembly ref="guideline" max-occurs="unbounded">
+            <group-as name="guidance"/>
+         </assembly>
+         <choice>
+            <field ref="value">
+               <description>A recommended parameter value or set of values.</description>
+               <remarks>
+                  <p>A value provided in a catalog can be redefined at any higher layer of OSCAL (e.g., Profile).</p>
+               </remarks>
+            </field>
+            <assembly ref="select">
+               <description>A set of parameter value choices, that may be picked from to set the parameter value.</description>
+               <remarks>
+                  <p>.</p>
+               </remarks>
+            </assembly>
+         </choice>
+         <field ref="link" max-occurs="unbounded">
+            <group-as name="links"/>
+         </field>
+         <any/>
+      </model>
+      <remarks>
+         <p>In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The <code>value</code> may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.</p>
+         <p>A parameter can include a variety of metadata options that support the future solicitation of one or more values. A <code>label</code> provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The <code>desc</code> provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A <code>constraint</code> can be used to provide criteria for the allowed values. A <code>guideline</code> provides a recommendation for the use of a parameter.</p>
+      </remarks>
+   </define-assembly>
+   
+   <define-field name="label" as-type="markup-line">
+      <formal-name>Parameter label</formal-name>
+      <description>A placeholder for a missing value, in display.</description>
+   </define-field>
+   
+   <define-field name="usage" as-type="markup-line">
+      <formal-name>Parameter description</formal-name>
+      <description>Indicates and explains the purpose and use of a parameter</description>
+      <flag ref="id"/>
+   </define-field>
+   
+   <define-field name="constraint">
+      <formal-name>Constraint</formal-name>
+      <description>A formal or informal expression of a constraint or test</description>
+      <flag ref="test"/>
+   </define-field>
+   
+   <define-assembly name="guideline">
+      <formal-name>Guideline</formal-name>
+      <description>A prose statement that provides a recommendation for the use of a parameter.</description>
+      <model>
+         <field ref="prose"/>
+         <any/>
+      </model>
+   </define-assembly>
+   
+   <define-field name="value" as-type="markup-line">
+      <formal-name>Value constraint</formal-name>
+      <description>Indicates a permissible value for a parameter or property</description>
+      <remarks>
+         <p>In a declaration, <code>value</code> will commonly be given in groups, indicating a set of
+        enumerated permissible values (i.e., for an element to be valid to a value constraint, it
+        must equal one of the given values).</p>
+         <p>In a parameter, a value represents a value assignment to the parameter, overriding any
+        value given at the point of insertion. When parameters are provided in OSCAL profiles, their
+        values will override any values assigned <q>lower down the stack</q>.</p>
+      </remarks>
+   </define-field>
+   
+   <define-assembly name="select">
+      <formal-name>Selection</formal-name>
+      <description>Presenting a choice among alternatives</description>
+      <flag ref="how-many"/>
+      <model>
+         <field ref="choice" max-occurs="unbounded">
+            <group-as name="alternatives"/>
+         </field>
+         <any/>
+      </model>
+   </define-assembly>
+   
+   <define-field name="choice" as-type="markup-line">
+      <formal-name>Choice</formal-name>
+      <description>A value selection among several such options</description>
+   </define-field>
+   
+   <define-assembly name="part">
+      <formal-name>Part</formal-name>
+      <description>A partition or component of a control or part</description>
+      <flag ref="id"/>
+      <flag ref="name" required="yes"/>
+      <flag ref="ns"/>
+      <flag ref="class"/>
+      <model>
+         <field ref="title"/>
+         <field ref="prop" max-occurs="unbounded">
+            <group-as name="properties"/>
+         </field>
+         <field ref="prose"/>
+         <assembly ref="part" max-occurs="unbounded">
+            <group-as name="parts"/>
+         </assembly>
+         <field ref="link" max-occurs="unbounded">
+            <group-as name="links"/>
+         </field>
+         <any/>
+      </model>
+      <remarks>
+         <p>A <code>part</code> provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A <code>part</code> can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A <code>part</code> can contain <code>prop</code> objects that allow for enriching prose text with structured name/value information.</p>
+         <p>A <code>part</code> can be assigned an optional <code>id</code>&gt;, which allows for internal and external references to the textual concept contained within a <code>part</code>. A <code>id</code> provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a <code>catalog</code>. For example, an <code>id</code> can be used to reference or to make modifications to a control statement in a profile.</p>
+         <p>Use of <code>part</code> and <code>prop</code> provides for a wide degree of extensibility within the OSCAL catalog model. The optional <code>ns</code> provides a means to qualify a part's <code>name</code>, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a <code>ns</code> value that represents the organization, making a given namespace qualified <code>name</code> unique to that organization. This allows the combination of <code>ns</code> and <code>name</code> to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no <code>ns</code> is provided, the name is expected to be in the "OSCAL" namespace.</p>
+         <p>To ensure a <code>ns</code> is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the <code>ns</code> "https://fedramp.gov", while DoD will use the <code>ns</code> "https://defense.gov" for any organization specific <code>name</code>.</p>
+         <p>Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL-compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.</p>
+      </remarks>
+      <example>
+         <description>Multiple Parts with Different Organization-Specific Names</description>
+         <o:part name="statement" id="statement-A">
+            <o:part ns="https://fedramp.gov" name="status" id="statement-A-FedRAMP">Something FedRAMP Cares About</o:part>
+            <o:part ns="https://defense.gov" name="status" id="statement-A-DoD">Something DoD Cares About</o:part>
+         </o:part>
+      </example>
+   </define-assembly>
+   
+   <define-flag name="test" as-type="string">
+      <formal-name>Constraint test</formal-name>
+      <description>A formal (executable) expression of a constraint</description>
+   </define-flag>
+
+   <define-flag name="how-many" as-type="string">
+      <formal-name>Cardinality</formal-name>
+      <description>When selecting, a requirement such as one or more</description>
+   </define-flag>
+
+   <define-flag name="depends-on" as-type="IDREF">
+      <formal-name>Depends on</formal-name>
+      <description>Another parameter invoking this one</description>
+   </define-flag>
+
+   <define-field name="prose" as-type="markup-multiline">
+      <!-- TODO: remove this field -->
+      <formal-name>Prose</formal-name>
+      <description>Prose permits multiple paragraphs, lists, tables etc.</description>
+   </define-field>
+
+</METASCHEMA>
diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
index fc8bc6190c..698e5e1415 100644
--- a/src/metaschema/oscal_implementation-common_metaschema.xml
+++ b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -6,7 +6,7 @@
     xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
     xmlns:o="http://csrc.nist.gov/ns/oscal/example"
     xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema/lib/metaschema.xsd"
-    root="VALIDATION_root">
+    root="VALIDATION_common_root">
 
     <schema-name>OSCAL Implementation Common Information</schema-name>
     <schema-version>1.0.0-milestone2</schema-version>
@@ -15,7 +15,7 @@
 
     <import href="oscal_metadata_metaschema.xml"/>
 
-    <define-assembly name="VALIDATION_root">
+    <define-assembly name="VALIDATION_common_root">
         <formal-name>(nominal root)</formal-name>
         <description>NOT TO BE USED IN A METASCHEMA</description>
         <flag ref="component-id"/>
@@ -74,7 +74,7 @@
         <formal-name>Remarks</formal-name>
         <description>TBD</description>
     </define-field>
-
+    
     <define-assembly name="supplier">
         <formal-name>Supplier</formal-name>
         <description>TBD</description>
diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
index f2b7205ac3..d1aae6b66c 100644
--- a/src/metaschema/oscal_profile_metaschema.xml
+++ b/src/metaschema/oscal_profile_metaschema.xml
@@ -12,10 +12,10 @@
    <short-name>oscal-profile</short-name>
    <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
    <remarks>
-      <p>A profile designates a selection and configuration of controls and subcontrols from one or more catalogs, along with a series of operations over the controls and subcontrols. The topmost element in the OSCAL profile XML schema is <code>profile</code>.</p>
+      <p>A profile designates a selection and configuration of controls from one or more catalogs, along with a series of operations over them. The topmost element in the OSCAL profile XML schema is <code>profile</code>.</p>
    </remarks>
    <import href="oscal_metadata_metaschema.xml"/>
-   <import href="oscal_catalog_metaschema.xml"/>
+   <import href="oscal_control_common_metaschema.xml"/>
    <define-assembly name="profile">
       <formal-name>Profile</formal-name>
       <description>Each OSCAL profile is defined by a Profile element</description>
@@ -36,8 +36,8 @@
           controls from multiple catalogs. It provides mechanisms by which controls may be selected
             (<code>import</code>), merged or (re)structured (<code>merge</code>), and emended
             (<code>modify</code>). OSCAL profiles may select subsets of control sets, set parameter
-          values for them in application, and even qualify the representation of controls and
-          subcontrols as given in and by a catalog. They may also serve as sources for further
+          values for them in application, and even qualify the representation of controls as given
+          in and by a catalog. They may also serve as sources for further
           modification in and by other profiles, that import them.</p>
       </remarks>
    </define-assembly>
@@ -58,8 +58,8 @@
          <p>An <code>import</code> indicates a source whose controls are to be included (referenced
           and modified) in a profile. This source will either be a catalog whose controls are given
             (<q>by value</q>), or a profile with its own control imports (with possible settings.</p>
-         <p>The contents of the <code>import</code> element indicate which controls and subcontrols
-          from the source, will be included. Controls and subcontrols may be either selected (using
+         <p>The contents of the <code>import</code> element indicate which controls
+          from the source will be included. Controls may be either selected (using
           an <code>include</code> element) or de-selected (using an <code>exclude</code> element)
           from the source catalog or profile.</p>
          <p>When no <code>include</code> is given (whether an <code>exclude</code> is given or not),
@@ -74,7 +74,7 @@
          </import>
       </example>
    </define-assembly>
-   <!-- presence of element merge means to merge (not merely aggregate) -->
+   
    <define-assembly name="merge">
       <formal-name>Merge controls</formal-name>
       <description>A Merge element merges controls in resolution.</description>
@@ -102,7 +102,7 @@
       <flag ref="method"/>
       <remarks>
          <p>Whenever combining controls from multiple (import) pathways, an issue arises of what to do with
-           clashing invocations (multiple competing versions of a control or a subcontrol). </p>
+           clashing invocations (multiple competing versions of a control). </p>
          <p>This setting permits a profile designer to apply a rule for the resolution of such cases.
            In a well-designed profile, such collisions would ordinarily be avoided, but this setting can be
            useful for defining what to do when it occurs.</p>
@@ -115,7 +115,7 @@
    </define-field>
    <define-flag name="method" as-type="string">
       <formal-name>Combination method</formal-name>
-      <description>How clashing controls and subcontrols should be handled</description>
+      <description>How clashing controls should be handled</description>
       <valid-values>
          <value name="use-first">Use the first definition - the first control with a given ID is used; subsequent ones are discarded</value>
          <value name="merge">Merge - controls with the same ID are combined</value>
@@ -174,10 +174,10 @@
          </assembly>
       </model>
    </define-assembly>
-   <!-- Can have either 'all' or (a set of) 'call' -->
+   
    <define-assembly name="include">
       <formal-name>Include controls</formal-name>
-      <description>Specifies which controls and subcontrols to include from the resource (source catalog) being
+      <description>Specifies which controls to include from the resource (source catalog) being
           imported</description>
       <model>
          <choice>
@@ -198,70 +198,44 @@
           instruction calls controls specifically.</p>
       </remarks>
    </define-assembly>
-   <!--
-    We are permitting include/call along with exclude/call to support tweaky with-subcontrol allowances
-    But downstream (Schematron) might detect inelegant or inoperable combinations of include/call and exclude/call
-  -->
-   <!-- Only 'yes' should have any effect; processors should assume 'no' when implicit -->
+   
    <define-field name="all" as-type="empty">
       <formal-name>Include all</formal-name>
       <description>Include all controls from the imported resource (catalog)</description>
-      <flag ref="with-subcontrols"/>
+      <flag ref="with-child-controls"/>
       <remarks>
-         <p>This element provides an alternative to calling controls and subcontrols individually
+         <p>This element provides an alternative to calling controls individually
             from a catalog. But this is also the default behavior when no <code>include</code>
             element is given in an <code>import</code>; so ordinarily one might not see this element
             unless it is for purposes of including its <code>@with-subcontrols='yes'</code>
          </p>
       </remarks>
    </define-field>
-   <!--<define-assembly name="with-control" group-as="with-controls">
-      <flag name="with-control">
-         <value>yes</value>
-         <value>no</value>
-      </flag>
-   </define-assembly>-->
-   <!--
-    'call' can call *either* a control or a subcontrol by its @id
-    Schematron requirement: there exists in the catalog a control or subcontrol
-    by the given @id
-    when @with-subcontrols is used, it must be @control-id
-  -->
    <define-field name="call" as-type="empty">
-      <formal-name>Call (control or subcontrol)</formal-name>
+      <formal-name>Call</formal-name>
       <description>Call a control or subcontrol by its ID</description>
       <flag ref="control-id"/>
-      <flag ref="subcontrol-id" />
-      <flag ref="with-control"/>
-      <flag ref="with-subcontrols"/>
+      <flag ref="with-child-controls"/>
       <remarks>
-         <p>Inside <code>include</code>, If <code>@control-id</code> is used (to indicate the control
-          being referenced), <code>@subcontrol-id</code> cannot be used, and vice versa. (A single
-            <code>call</code> element is used for each control.) This constraint is enforced by the
-          schema. Likewise, <code>@with-subcontrols</code> can be used only along with
-            <code>@control-id</code> not with <code>@subcontrol-id</code>.</p>
          <p>If <code>@with-subcontrols</code> is <q>yes</q> on the call to a control, no sibling
-            <code>call</code>elements need to be used to call its subcontrols. Accordingly it may be
-          more common to call subcontrols (enhancements) by ID only to exclude them, not to include
-          them.</p>
+            <code>call</code>elements need to be used to call any controls appearing within it
+            (<q>subcontrols</q>. Since generally, this is how control enhancements are represented
+            (as controls within controls), this provides a way to include controls with all their
+            dependent controls (enhancements) without having to call them individually.</p>
       </remarks>
    </define-field>
-   <!--
-    'match' calls (includes) controls and subcontrols indiscriminately: when matching (as a regex) the @id,
-    controls or subcontrols may be included.
-    nb this means it is possible to include subcontrols w/o their controls, for later combination w/ other includes
-  -->
+   
    <define-field name="match" as-type="empty">
-      <formal-name>Match controls and subcontrols by identifier</formal-name>
+      <formal-name>Match controls by identifier</formal-name>
       <description>Select controls by (regular expression) match on ID</description>
       <flag ref="pattern"/>
       <flag ref="order"/>
-      <flag ref="with-control"/>
-      <flag ref="with-subcontrols"/>
+      <flag ref="with-child-controls"/>
    </define-field>
+   
    <define-assembly name="exclude">
       <formal-name>Exclude controls</formal-name>
-      <description>Which controls and subcontrols to exclude from the resource (source catalog) being
+      <description>Which controls to exclude from the resource (source catalog) being
           imported</description>
       <model>
          <choice>
@@ -279,6 +253,7 @@
          include and exclude something by ID simultaneously. If this happens, an error condition will be reported.</p>
       </remarks>
    </define-assembly>
+   
    <define-assembly name="set">
       <formal-name>Parameter Setting</formal-name>
       <description>A parameter setting, to be propagated to points of insertion</description>
@@ -309,11 +284,11 @@
          </assembly>
       </model>
    </define-assembly>
+   
    <define-assembly name="alter">
       <formal-name>Alteration</formal-name>
-      <description>An Alter element specifies changes to be made to an included control or subcontrol when a profile is resolved.</description>
+      <description>An Alter element specifies changes to be made to an included control when a profile is resolved.</description>
       <flag ref="control-id"/>
-      <flag ref="subcontrol-id"/>
       <model>
          <field ref="remove" max-occurs="unbounded">
             <group-as name="removals"/>
@@ -323,33 +298,46 @@
          </assembly>
       </model>
       <remarks>
-         <p>Use <code>@control-id</code> or <code>@subcontrol-id</code> to indicate the scope of alteration.</p>
-         <p>It is an error for two <code>alter</code> elements to apply to the same control or subcontrol.
+         <p>Use <code>@control-id</code> to indicate the scope of alteration.</p>
+         <p>It is an error for two <code>alter</code> elements to apply to the same control.
          In practice, multiple alterations can be applied (together), but it creates confusion.</p>
          <p>At present, no provision is made for altering many controls at once (for example, to systematically
             remove properties or add global properties); extending this element to match multiple control
             IDs could provide for this.</p>
       </remarks>
    </define-assembly>
-   <define-field as-type="empty" name="remove">
+   
+   <define-field name="remove" as-type="empty">
       <formal-name>Removal</formal-name>
-      <description>Specifies elements to be removed from a control or subcontrol, in resolution</description>
-      <flag ref="class-ref"/>
-      <flag ref="id-ref"/>
-      <flag ref="item-name"/>
+      <description>Specifies elements to be removed from a control, in resolution</description>
+      <flag name="name-ref" as-type="NCName">
+         <formal-name>References by (assigned) name</formal-name>
+         <description>Items to remove, by assigned name</description></flag>
+      <flag name="class-ref" as-type="NCName">
+         <formal-name>References by class</formal-name>
+         <description>Items to remove, by class. A token match.</description>
+      </flag>
+      <flag name="id-ref"    as-type="NCName">
+         <formal-name>References by ID</formal-name>
+         <description>Items to remove, indicated by their IDs</description></flag>
+      <flag name="item-name" as-type="NCName">
+         <formal-name>References by item name or generic identifier</formal-name>
+         <description>Items to remove, by the name of the item's type, or generic identifier, e.g. <code>title</code> or <code>prop</code></description>
+         <!-- TODO: restrict this to known valid values such as 'title' and 'prop' e.g. names of valid elements -->
+      </flag>
       <remarks>
-         <p>Use <code>@class-ref</code>, <code>@id-ref</code> or <code>@item-name</code> to indicate
+         <p>Use <code>name-ref</code>, <code>class-ref</code>, <code>id-ref</code> or <code>generic-identifier</code> to indicate
           class tokens or ID reference, or the formal name, of the component to be removed or erased
-          from a control or subcontrol, when a catalog is resolved. The control or subcontrol
-          affected is indicated by the pointer on the removal's parent (containing)
-            <code>alter</code> element.</p>
+          from a control, when a catalog is resolved. The control affected is indicated by the pointer
+          on the removal's parent (containing) <code>alter</code> element.</p>
          <p>To change an element, use <code>remove</code> to remove the element, then
             <code>add</code> to add it back again with changes.</p>
       </remarks>
    </define-field>
+   
    <define-assembly name="add">
       <formal-name>Addition</formal-name>
-      <description>Specifies contents to be added into controls or subcontrols, in resolution</description>
+      <description>Specifies contents to be added into controls, in resolution</description>
       <flag ref="position"/>
       <model>
          <field ref="title"/>
@@ -367,34 +355,26 @@
          </assembly>
       </model>
    </define-assembly>
+   
    <define-flag as-type="NCName" name="control-id">
       <formal-name>Control ID</formal-name>
       <description>Value of the 'id' flag on a target control</description>
    </define-flag>
-   <define-flag as-type="NCName" name="with-control">
-      <formal-name>Include control with subcontrol</formal-name>
-      <description>Whether a control should be implicitly included, if not called.</description>
-      <valid-values>
-         <value name="yes">Include the parent control when a subcontrol is imported.</value>
-         <value name="no">Exclude the parent control when a subcontrol is imported.</value>
-      </valid-values>
-   </define-flag>
-   <define-flag as-type="NCName" name="with-subcontrols">
-      <formal-name>Include subcontrols with control</formal-name>
-      <description>Whether subcontrols should be implicitly included, if not called.</description>
+   
+   <define-flag as-type="NCName" name="with-child-controls">
+      <formal-name>Include contained controls with control</formal-name>
+      <description>When a control is included, whether its child (dependent) controls are also included.</description>
       <valid-values>
-         <value name="yes">Include all subcontrols for a control during the import.</value>
-         <value name="no">Exclude all subcontrols for a control during the import.</value>
+         <value name="yes">Include child controls with an included control.</value>
+         <value name="no">When importing a control, only include child controls that are also explicitly called.</value>
       </valid-values>
    </define-flag>
-   <define-flag as-type="NCName" name="subcontrol-id">
-      <formal-name>Control ID</formal-name>
-      <description>Value of the 'id' flag on a target subcontrol</description>
-   </define-flag>
+   
    <define-flag as-type="string" name="pattern">
       <formal-name>Pattern</formal-name>
-      <description>A regular expression matching the IDs of one or more controls or subcontrols to be selected</description>
+      <description>A regular expression matching the IDs of one or more controls to be selected</description>
    </define-flag>
+   
    <define-flag as-type="NCName" name="order">
       <formal-name>Order</formal-name>
       <description>A designation of how a selection of controls in a profile is to be ordered.</description>
@@ -404,6 +384,7 @@
          <value name="descending"/>
       </valid-values>
    </define-flag>
+   
    <define-flag as-type="NCName" name="position">
       <formal-name>Position</formal-name>
       <description>Where to add the new content with respect to the targeted element (beside it or inside it)</description>
@@ -414,16 +395,5 @@
          <value name="ending"/>
       </valid-values>
    </define-flag>
-   <define-flag as-type="NMTOKENS" name="class-ref">
-      <formal-name>References by class</formal-name>
-      <description>Items to remove, by class</description>
-   </define-flag>
-   <define-flag as-type="NCName" name="id-ref">
-      <formal-name>References by ID</formal-name>
-      <description>Items to remove, indicated by their IDs</description>
-   </define-flag>
-   <define-flag as-type="NMTOKENS" name="item-name">
-      <formal-name>References by name</formal-name>
-      <description>Items to remove, by item type (name), e.g. title or prop</description>
-   </define-flag>
+   
 </METASCHEMA>